Introduction to RBAC in RPS

Last updated on December 30, 2020.

Last Reviewed and Approved on PENDING REVIEW

Introduction

Access management to resources is a critical function for any organization that has multiple types of users accessing a system. Role-Based Access Control (RBAC) helps you manage who has access to resources, what they can do with those resources, and what areas they have access to. RBAC is an authorization system that provides fine-grained access management of the Rapid Provisioning System (RPS) resources.

The way you control access to resources using RPS RBAC is to create role assignments. This is a key concept to understand – it's how permissions are enforced. A role assignment consists of three primary elements: Users, Roles, and Security Rights. The user is a member of a role. A role is what has the security right assigned to it.

RPS uses an RBAC approach to restrict system access only to authorized users. With RPS, roles are predefined such as administrator, or patch creator. These roles are a collection of different security rights. A user is placed in a particular role depending on the function(s) they need to perform. A user assigned to zero roles will not have any access to RPS and a user can also be assigned to multiple roles if they need to perform multiple duties in RPS. User and role assignment is dynamic and data driven. Users can be assigned and unassigned to different roles at any time without reinstallation, allowing users permissions in the system to grow and shrink with their assigned duties.

RPS roles are built around job duties and implement the principle of least privilege, meaning each role is designed to only allow a user to perform the necessary functions related to that role and nothing more.

RBAC Fundamentals

Access and Interfaces

Management of users, roles, and assignments is done either via the RPS Web Graphic User Interface (GUI) or via PowerShell scripts. Regardless of your preferred RBAC management method, either done via GUI or PowerShell, RBAC has been designed to have feature parity across both human interfaces. Via PowerShell, user creation and role assignment can be easily added to scripts to help with automation. However, the RPS Web GUI makes it easy for anyone to manage users and roles.

Users

Users are based on domain and local Windows users. To be assigned a role, Users must still be enrolled in RPS.

Authentication

RPS does not perform user authentication it only handles authorization. All RPS authentication is handled by Windows. All user accounts must be either local or domain Windows accounts to be authenticated and used by RPS. The RPS RBAC access management system does not store any user passwords and it does not manage RPS user passwords. All password management is handled through either the domain or Windows.

Role Assignment

Users are added to roles via the RPS Web GUI or via PowerShell Cmdlet. See How to Add and Remove User Roles. A user must have the proper privileges to add and remove users from roles. Users cannot add and remove themselves from roles, unless they are a super admin.

Installation

On installation of RPS pre-defined roles are imported via a data import process.