RBAC Enforcement

The system implements access control using an RBAC mechanism. As outlined below - every action is controlled via the policy management feature of the system.

There are main entities are:




A set of rules/statements that are evaluated when a particular user tries to perform a particular action, Policies are then applied to users, groups and roles


An individual user of the system


Users can optionally be added to groups, to simplify management


A role can be assigned a policy and can be assumed by users to temporarily user those permissions. Part of the definition of a role says who can assume the role.

And a policy statement is made up of 5 elements:





What to do if the rule matches

Allow / Deny

CRUD operation on the target resource

Create / Read / Update / Delete

Target resource that the rule is applied to


An optional set of things to check if the rule is met

“Condition”: {
“StringEquals”: {
“cmp:resource_id”: “de305d54-75b4-431b-adb2-eb6b9e546014”,

In short:
As a user A with policy B (optionally via role C or group D) I can perform operation E on resource F. Assuming constraint G is met.

Feature: Default Policies

The system enables users to configure the policies at a very low level. However to make life easier there are a number of default policies available.
These default policies are ones that are non-editable/deletable.
When a user logs in to Solution Insight first time, the user has not been attached by any policies (same as AWS IAM), but those attached Policy Admin can attach the new users to the following default policies to restrict operations.

Policy Name


Permitted operations

General Users

General admin users, giving admin rights for resources within Solution Insight

GET/PUT/POST/DELETE all API resources except policies, groups and roles
User Admin

Allows users to admin which users are in which groups

GET/PUT/POST/DELETE on groups, roles, user-group association and user-role association
Policy Admin

Allows users to admin which policies are enforced for groups and users

GET/PUT/POST/DELETE on policies, user-policy association and group-policy association
Read Only

A group that gives read only access to resources. There would be no admin access for these users.

GET from all API resources except policies, groups and roles

Feature: Role Assumption

If a user U has a role R, U can assume the role R by add a role header in HTTP request header (as follow) and can perform operations with the policies R has been attached.

X-CMP-Role: <Role UUID>
The original policies U has been attached have not been applied in this case.
This is useful if an admin user want to assign temporary policies to some users (in the same customer) to delegate some privilege to the user. Roles can only be assumed by the users in the same customer.