This article explains role-based access control (RBAC) and how it works with Interana. You will learn about designated Interana roles and the permissions assigned to each role, as well as how RBAC is activated and group roles are assigned.
Role-based access control (RBAC) is a method of regulating access to a computer, network, or application by assigning permissions to users based on a role. Individual users are grouped into roles based on job responsibilities, and system access is assigned based on each person's role assignment.
RBAC provides the ability to segregate duties within a team. This allows you to only grant the level of access a user requires to perform their job, instead of giving everybody unrestricted permissions to everything.
The primary RBAC concepts are:
- Role assignment—a user must be assigned a role to be able to exercise a permission, such as seeing a dataset.
- Role authorization—a user's role must be authorized to be able to exercise that role's set of permissions.
How RBAC works in Interana 3.x
RBAC is activated by configuring policies for your Interana instance. These policies can be created by your Technical Account Manager.
By default RBAC is disabled on Interana, allowing full access to all users. When the first RBAC policy is created for a dataset, the default switches to deny access to anyone without permissions for the dataset. Permissions are relegated on a group-by-group basis, and individual users are assigned to groups based on their job responsibilities.
For example, if there is no RBAC policy configured for a particular dataset, then all users have access to that dataset. Once the Interana administrator (admin) creates a policy so that Group A has access to a dataset, only members of Group A can see that data. If the members of Group B also want access to that dataset, an admin must add Group B to the access permissions.
For information on configuring Interana RBAC policies, contact your Technical Account Manager.
Working with RBAC roles
Interana 3.x RBAC supports the following user roles:
- user—can log in to Interana, see datasets for which they have permission and run queries. They can also have ability to create and save personal boards and knowledge objects, such as actor, event, and flow properties. They can access all published constructs.
- admin—has publisher permissions and can manage and maintain user accounts, as well as access all boards and knowledge objects whether published or not. An admin also has the ability to control the settings for datasets and users.
For most Interana users, RBAC is transparent. Users see and interact with datasets according to the groups (roles) to which they belong. All other datasets are hidden from view. A few users may have publisher permissions, and one or two may have admin permissions.
For more information on Interana roles and access permissions, contact your Technical Account Manager.
Group and permission constraints
It's important to familiarize yourself with RBAC group and permission restrictions.
- Group inheritance is not allowed, which means there are no nested groups.
- You must explicitly delegate permissions to groups, and the users who belong to those groups.