Home >Documents >Service Descriptions >Cloud Management Platform v1.0.1 >RBAC Enforcement

RBAC Enforcement

The system implements access control using an RBAC mechanism. As outlined below - every action is controlled via the policy management feature of the system.

RBAC
There are main entities are:

Entity

Detail
Policy

A set of rules/statements that are evaluated when a particular user tries to perform a particular action, Policies are then applied to users, groups and roles
User

An individual user of the system
Group

Users can optionally be added to groups, to simplify management
Role

A role can be assigned a policy and can be assumed by users to temporarily user those permissions. Part of the definition of a role says who can assume the role.

And a policy statement is made up of 5 elements:

Element

Detail

Examples
Effect

What to do if the rule matches

 Allow / Deny
Action

CRUD operation on the target resource

 Create / Read / Update / Delete
Resource

Target resource that the rule is applied to

 /servers/id
Constraint

An optional set of things to check if the rule is met
“Condition”: {
“StringEquals”: {
“cmp:resource_id”: “de305d54-75b4-431b-adb2-eb6b9e546014”,
},
},

In short:
As a user A with policy B (optionally via role C or group D) I can perform operation E on resource F. Assuming constraint G is met.

Feature: Default Policies

The system enables users to configure the policies at a very low level. However to make life easier there are a number of default policies available.
These default policies are ones that are non-editable/deletable.
When a user logs in to Solution Insight first time, the user has not been attached by any policies (same as AWS IAM), but those attached Policy Admin can attach the new users to the following default policies to restrict operations.

Policy Name

Detail

Permitted operations
General Users

General admin users, giving admin rights for resources within Solution Insight

 GET/PUT/POST/DELETE all API resources except policies, groups and roles
User Admin

Allows users to admin which users are in which groups

 GET/PUT/POST/DELETE on groups, roles, user-group association and user-role association
Policy Admin

Allows users to admin which policies are enforced for groups and users

 GET/PUT/POST/DELETE on policies, user-policy association and group-policy association
Read Only

A group that gives read only access to resources. There would be no admin access for these users.

 GET from all API resources except policies, groups and roles

Feature: Role Assumption

If a user U has a role R, U can assume the role R by add a role header in HTTP request header (as follow) and can perform operations with the policies R has been attached.

X-CMP-Role: <Role UUID>
The original policies U has been attached have not been applied in this case.
This is useful if an admin user want to assign temporary policies to some users (in the same customer) to delegate some privilege to the user. Roles can only be assumed by the users in the same customer.
Dashboard
Revision History