Role-based access control configuration

Role-based access control (RBAC) in the SecureAuth® Identity Platform (formerly SecureAuth IdP) enables flexible visibility into appliance configurations. While many users can access the Web Admin, only certain users can make changes, while others can view and modify everything. This feature allows you to define roles in the appliance settings and restrict who has access and ability to change configurations.

Note

At this time, the Identity Platform cloud instance does not yet support role-based access control (RBAC).

Role-based access control separates users into three (3) role types:

Super Admins

Super Admins are the only users who can control every aspect of the system.

To act as a Super Admin, the user must use remote desktop protocol (RDP) into the Identity Platform appliance and access the Web Admin.

Note

Role-based access control was introduced in SecureAuth IdP version 9.0.1. Prior to this version, Super Admins were the only users who could perform tasks to which Administrator role types can now do going forward after 9.0.1.

Administrators

Administrator rules determine the realms to which administrators can view and modify, relevant to their permissions.

The administrator role accesses the Identity Platform Web Admin by means of a web browser.

Auditors

Auditor rules determine the realms to which auditors have read-only access, relevant to their permissions. Auditors can edit information in the fields, but cannot save changes.

The auditor role accesses the Identity Platform Web Admin by means of a web browser.

More role definitions in detail

The following table provides more detail about the level of permissions for each role.

Function

Super Admin

Administrator

Auditor

View realm configurations

All realms

With specified realm permissions

With specified realm permissions

Modify realm configurations

All realms

With specified realm permissions

N

View Admin realm (SecureAuth0)

Y

With specified realm permissions

With specified realm permissions

Modify Admin realm (SecureAuth0)

Y

With specified realm permissions

N

View specialized realms (App enrollment)

Y

With specified realm permissions

With specified realm permissions

Modify specialized realms (App enrollment)

Y

With specified realm permissions

N

Requires RDP access

Y

N

N

Use Web Admin tools (update / decrypt web.config)

Y

N

N

Create new realms

Y

N

N

View / modify API configurations

Y

N

N

View / modify web.config file

Y

N

N

To activate Role-based Access Control, an LDAP (Active Directory, others) directory must be integrated with the Admin Realm (SecureAuth0). The Identity Platform integration retrieves the directory user group information to apply the role-based controls. Then, users are required to use their directory credentials to log in to the Web Admin (SecureAuth0).

Prerequisites

  • Access to the Identity Platform appliance via Remote Desktop Protocol (RDP).

  • Data store directory (for example, Active Directory like LDAP) integrated with the Identity Platform Admin Realm (SecureAuth0) on the Data tab

  • Groups established in the data store directory to which the role-based rules apply

Identity Platform configuration

To create role-based rules for access, you will need to first activate Access Control in the Identity Platform and then create the role-based rules for administrators and auditors.

Activate the Access Control panel

  1. As a Super Admin, use RDP to connect the Identity Platform appliance, and then access the Web Admin.

  2. On the Web Admin home page, in the top menu bar, click Access Control.

    Only Super Admins can see this option and is only accessible by means of RDP access.

    70487967.png
  3. Click Activate Access Control.

    70487966.png

Create and activate the first rule

Once Access Control is activated, you can create, activate and manage role-based rules.

  1. Set the following:

    Name

    Set the name of the rule.

    This rule displays on the Access Control Panel page.

    Description

    Provide descriptive text about the rule.

    Realms

    Select the Identity Platform realms to which this access control rule applies.

    User Groups with Read and Write Permissions

    Select the data store (LDAP) directory user groups to which Administrators belong, giving them read and write permissions to the specified realms.

    The Access Control Rule form pulls information from the directory for auto-fill options.

    User Groups with Read-Only Permissions

    Select the data store (LDAP) directory user groups to which Auditors belong, giving them read-only permissions to specified realms.

    It is not required to select a user group in this field, but at least one field must be set.

    70487965.png
  2. Click Save Rule.

    When the first rule is created, a notification from the Identity Platform is sent to the Super Admin indicating that the Access Control is enabled.

  3. In the Access Control panel, move the rule slider to publish and activate the rule.

    70487964.png

Create a new rule

After the first rule is created and activated, you can create more role-based permission rules.

  1. In the Access Control panel, click New.

  2. Set the following:

    Name

    Set the name of the rule.

    This rule displays on the Access Control Panel page.

    Description

    Provide descriptive text about the rule.

    Realms

    Select the Identity Platform realms to which this access control rule applies.

    User Groups with Read and Write Permissions

    Select the data store (LDAP) directory user groups to which Administrators belong, giving them read and write permissions to the specified realms.

    The Access Control Rule form pulls information from the directory for auto-fill options.

    User Groups with Read-Only Permissions

    Select the data store (LDAP) directory user groups to which Auditors belong, giving them read-only permissions to specified realms.

    It is not required to select a user group in this field, but at least one field must be set.

    70487963.png
  3. Click Save Rule.

Manage rules

From the Access Control page, you can duplicate, edit, or delete a rule.

70487962.png
  1. To duplicate a specific rule, click the duplicate link.

    1. Confirm the action by clicking Duplicate.

      70487960.png

      The duplicated rule displays in the list.

  2. To edit a specific rule, click the edit link.

    70487959.png
  3. To delete a specific rule, click the delete link.

    1. Confirm the action by clicking Delete.

      70487961.png

      All access controls defined by the rule are removed and the rule no longer displays in the list.