Role Based Access Control (RBAC)

Role Based Access Control (RBAC) is an approach to restrict the system access to authorized users. The authorization model is role-based. There will be three items in a role-based modeel: sub, obj, and act.

  • sub: the user (role) that wants to access a resource.

  • obj: the resource that is going to be accessed

  • act: the operation that the user performs on the resource

The RBAC Data Model is implemented in RBFS, and it allows you to define Permission or User Roles to various type of resources.

The model contains:

  • Resource Type: The type of resource we are talking about (for example, BDS Table, BDS Object, REST)

  • Resource: The identifier of the Resource (for example, Table Name, Rest endpoints). Regular expressions are allowed.

  • Permissions: Indicates the action that a user is allowed to perform on the resource. The Permissions are CRUD (Create, Read Update, Delete). The permission gets a semantic with respect to the resource type.

  • Role: The role of a user who tries to access a resource.

CTRLD Authorization Configuration

Activate or Deactivate Authorization in CTRLD

"auth_disabled": true

It is possible to specify the permissions in CTRLD exactly in the way specified above.

Where sub is the role a user needs to have, obj species the url endpoint the user wants to reach, and act is the HTTP Method the user wants to call on the endpoint.

For example:

{
 "permissions": [
   {"sub": "supervisor", "obj": "/*", "act": ".*" },
   {"sub": "reader", "obj": "/*", "act": "GET"},
   {"sub": ".*", "obj": "/api/v1/rbfs/elements/\{element_name}/services/\{service_name}/proxy/*", "act": ".*"}
 ]
}
  • The user with the role supervisor is allowed to access all rest endpoints, and act on them with all HTTP methods.

  • The user with the role reader is allowed to access all rest endpoints, but can only call the HTTP GET method.

  • All authenticated users are allowed to access the proxy endpoint with all HTTP methods.

To configure that policy CTRLD offers 2 endpoints:

  • PUT /api/v1/ctrld/authorization/permissions

  • GET /api/v1/ctrld/authorization/permissions

Please refer to API Documentation for more information.

RBFS Authorization configuration

RBFS Role Configuration via REST

{
 "objects": [
   { "attribute": { "role": "operator", "permission": "create|read|delete", "resource_regex": "global.*", "resource_type": "object" } },
   { "attribute": { "role": "operator", "permission": "create|read|delete", "resource_regex": "global.*", "resource_type": "table" } }
 ],
 "table": { "table_name": "secure.global.rbac.authorization.config", "table_type": "authorization_config_table" }
}

{
 "objects": [
   { "attribute": { "role": "user", "permission": "-|read|-", "resource_regex": "global.*", "resource_type": "table" } },
   { "attribute": { "role": "user", "permission": "-|read|-", "resource_regex": "global.*", "resource_type": "object" } }
 ],
 "table": { "table_name": "secure.global.rbac.authorization.config", "table_type": "authorization_config_table" }
}
  • role : Represents role in the system

  • resource_type : Represents resources in the RBFS (table|object).

  • resource_regex : Regex for the resources to be accessed.

  • permission : Bitmap representing permissions to create, read and delete. create|read|delete

Action BDS Table BDS Object

Create

Create a BDS Table

Create/Update a BDS Object

Read

Read Table Header Objects or Metadata

Read BDS Objects

Delete

Delete a BDS Object

Delete a BDS Object

RBFS Authorization CLI Configurations

Global user role configuration:

set system authorization global role <name> rbac-permission <resource-type> <resource-regex> permission <permission-map>

role

Represents role in the system

resource_type

Represents resources in the RBFS (table/object).

resource_regex

Regex for the resources to be accessed.

permission

Bitmap representing permissions to create, read and delete.

-/-/-

-/-/delete

-/read/-

-/read/delete

create/-/-

create/-/delete

create/read/-

create/read/delete

Example
admin@rtbick: cfg> set system authorization global role admin rbac-permission table global.* permission create/read/delete

Lawful user role configuration

set system authorization lawful role <name> rbac-permission <resource-type> <resource-regex> permission <permission>

role

Represents lawful interceptor (LI) role in the system

resource_type

Represents resources in the RBFS (table/object).

resource_regex

Regex for the resources to be accessed.

permission

Bitmap representing permissions to create, read and delete.

-/-/-

-/-/delete

-/read/-

-/read/delete

create/-/-

create/-/delete

create/read/-

create/read/delete

Example
admin@rtbick: cfg> set system authorization lawful role fbi rbac-permission table local.* permission -/read/-