Role-based access control (RBAC) is a method of regulating access to a computer, network, or application by assigning permissions to users based on a role. Individual users are grouped into roles based on job responsibilities, and system access is assigned based on role.
RBAC provides the ability to segregate duties within a team. This allows you to grant only the level of access a user requires to perform their job, instead of giving everybody unrestricted permissions.
Starting with Interana release 3.9, you can map your organization's SAML groups to logical roles within Interana using the Interana UI.
RBAC is enabled by default, and a user must be a member of a role before they can view or edit any objects in Interana. By default, new user-created objects are not visible to other users until they're shared.
How to configure RBAC
To create roles from provided SAML groups, you must have SAML single sign on. To manually assign users to roles without using SAML groups, contact your Technical Account Manager.
Prepare to set up RBAC
In preparing to set up RBAC, decide how you will map your SAML groups to roles in Interana. Then decide what sharing privileges each role will have.
For example, SAML might have sales, finance, engineering, product marketing, web marketing, and marketing analytics groups. You might decide to create an Interana role that corresponds to each group. Or you might decide to map multiple groups to one role. For example, you could make an Interana role called "marketing" out of the product marketing, web marketing, and marketing analytics SAML groups. Then you might decide that the finance role can share only with the finance role, while the marketing role can share with marketing, engineering, sales, and finance.
The following roles are available by default:
- user—Can log into Interana, see datasets and objects for which they have permission, and run queries. Can create and save personal boards and knowledge objects, such as actor, event, and flow properties.
- admin—Can share with any role, manage and maintain user accounts, and access all boards and knowledge objects. An admin can also control the settings for datasets and users.
Configure Interana RBAC
Once you have planned your mappings and sharing privileges, create each new role using the Interana UI. To create a new role:
- Click the Admin gear icon. At the top of the page, click the Role management icon.
- At the top right, click +New role.
- At the top of the role management page, type a name for your new role.
- Assign one or more SAML groups to each new role by adding them to the Member groups field. You can do this one of two ways:
- Coordinate with your technical account manager to add SAML groups to your Interana system. Once the group names are in Interana, you can use the dropdown in the Member groups field to choose from SAML groups that are already recognized. Click +add group then select from the dropdown.
- You can (carefully!) type SAML group names into the UI. Click +add group then type the SAML group name. The SAML group name displays red until you click Save at the top right of the page. After you save it, the group name is available in the Member groups dropdown. This method is sensitive to case, special characters, and any typos. Saving does not validate the name against your SAML.
- Set sharing permissions for the role.
When migrating from 3.x, you must edit the User role so that it has a share permission and can share with other users. That is, Admin > Role Management > User > Can share with roles must include User.
- Set dataset access for the role in the Can access datasets field.
- Click Save at the top right.
Best practice: Separate data access roles from capability roles
It is a good idea to create a set of groups in your authentication provider that are defined by what data they can access, and another set of groups that are defined by the capabilities they have. Then build these two sets of groups into a set of meaningful roles.
If I change group membership in my SAML, how does it show up in Interana?
Every time a user logs into Interana, their authentication provider passes the list of SAML groups that user is a member of. Interana determines which role to assign the user based on the SAML group membership.
If a user logs in with a group that is not mapped to any role, they are put in the User role for that login session.
The following table lists the capabilities that you can assign to a role.