Role-based access control overview
Role-based access control (RBAC) in the SecureAuth® Identity Platform (formerly SecureAuth IdP) enables flexible visibility into appliance configurations. While many users can access the Web Admin, only certain users can make changes, while others can view and modify everything. This feature allows you to define roles in the appliance settings and restrict who has access and ability to change configurations.
Note
As of release 22.12, role-based access control (RBAC) is now supported in both Identity Platform hybrid and cloud deployments.
RBAC can be enabled or disabled via web broswer for both hybrid and cloud deployments.
Role-based access control separates users into the following role types:
Administrators | Administrators are users or account credential holders that have full access to the Identity Platform console before RBAC is enabled. NoteFor security reasons, the administrator that enables RBAC for the first time is automatically added as a Super Admin. To remove themselves as a Super Admin, they must contact a local administrator. |
Super Admins | Super Admins are the only users who have full access to the Identity Platform console after RBAC is enabled. |
Application Owners | Application Owners are users who have access to a determined set of realms and applications. Depending on their permission levels, Application Owners can view only or view and modify realms and applications. |
To activate role-based access control, a supported data store directory must be integrated with the Admin Realm (SecureAuth0). The Identity Platform integration retrieves the directory user group information to apply the role-based controls. Then, users are required to use their directory credentials to log in to the Web Admin (SecureAuth0).
More role definitions in detail
The following table provides more detail about the level of permissions for each role.
Note
When RBAC is enabled, Administrators will have their roles changed to either the Super Admin or Application Owner role.
Function | Administrator (RBAC disabled) | Super Admin (RBAC enabled) | Application Owner (RBAC enabled) |
|---|---|---|---|
View realm/application configurations | All realms | All realms | With specified realm permissions |
Modify realm/application configurations | All realms | All realms | With specified realm permissions |
View Admin realm (SecureAuth0) | Y | Y | N |
Modify Admin realm (SecureAuth0) | Y | Y | N |
View specialized realms (App enrollment) | Y | Y | With specified realm permissions |
Modify specialized realms (App enrollment) | Y | Y | With specified realm permissions |
Use Web Admin tools (update web.config) | Y | Y | N |
Use Web Admin tools (decrypt web.config) | Y | Y | Y |
View / modify API configurations | Y | Y | N |
View / modify web.config file | Y (If account credential has RDP access) | Y (If account credential has RDP access) | Y (If account credential has RDP access) |