MENU

It’s All About Access — Aureum’s Users and Roles

May 15, 2016 Aureum, Security

Access control in information systems regulates what a user can do directly, and what that user’s programs are allowed to do. System administrators have to implement access control mechanisms to protect the confidentiality and integrity of applications and its data. In other words, a subject (user and process) is given access to the information (data and programs) executing the operations (read, write, delete and execute) that respect the access rules.

A role-based access control (RBAC) model has the following qualities:

Example: Aburaya Corporation

Consider a fictional company called Aburaya Corporation. Joyce is the director of the new advanced analytics department, which uses Aureum to manage its data access. When administrative functions are performed on a system, there can be big consequences: Joyce has to make sure her employees can perform only those operations for which they have been trained. She groups her employees by their roles and wants to manage a small number of roles instead of a large number of users.

Upon starting the department, she creates her own Aureum account and uses it by herself. Joyce uses the Aureum account’s security credentials to create a user for herself called Joyce, and a group called Admins. She gives the Admins group the permissions it needs to administer users, groups and permissions for the Aureum account, and she gives the Admins group permissions to perform all actions on all the Aureum account’s resources (for example, root privileges).

She then attracts employees to work for her as developers, admins, analysts, managers and system administrators. Joyce creates a group called AllUsers so she can easily apply any account-wide permissions to all users. She adds herself to the group. She then creates a group called Developers, a group called Analysts, a group called Managers and a group called SysAdmins. She creates users for each of her employees, and puts the users in their respective groups. She also adds them all to the AllUsers group.

To provide “perimeter” control, Joyce adds a policy to the AllUsers group that denies any Aureum request from a user if the originating IP address is outside Aburaya’s corporate network.

At Aburaya, different groups require different permissions:

The Aureum administration GUI is designed so that it’s quick and easy to set up systems even for a large number of users. Adding users later on with the appropriate permissions is as easy as assigning them to an existing group.