Role-Based Access Control (RBAC)
This article covers what Role-Based Access Control is, how it is used within STRM Privacy, and provides an overview of all permissions and roles.
Role-Based Access Control (RBAC)
In practice, not all users should be able to view or manage the same resources.
Employees working one department, shouldn't automatically be granted access to all data streams within an organization.
In order to grant permissions to users, STRM Privacy offers a Role-Based Access Control (RBAC) system.
This system should help organizations to manage resources and be more easily compliant with privacy regulations.
Currently, four basic roles exist: admin , project_admin , approver and member.
Users can have one or more roles and are always assigned at least the member role.
The user creating an organization is automatically assigned the admin role.
When a user is invited to your organization, only the member role is assigned.
Roles can be managed via the manage command in the cli.
Permissions
| Scope Permission | Description |
|---|---|
| organization/manage | Create organization handle. |
| organization/manage users | Add and remove users from the organization. Change user roles. |
| organization/create project | Create a new project within the organization via cli or console. |
| organization/delete project | Delete a project from an organization, with all its corresponding resources. |
| organization/view projects | List all projects in an organization. Per project list their members. |
| organization/view installation status | View the status of installation, installed for your organization. |
| project/manage members | Add and remove users from a project. |
| project/create resources | Create streams, derived streams, batch exporters, batch jobs. |
| project/delete resources | Delete streams, derived streams, batch exporters, batch jobs. |
| project/view resources | List and get streams, derived streams, batch exporters, batch jobs. |
| project/create data contracts | Create a proposal for a data contract, that needs to be reviewed before becoming active. |
| data_contracts/view | List and get data contracts from the project in scope and those that are public. |
| data_contracts/review | Review data contracts, i.e. validate that the contract is compliant with (company) privacy regulations. |
Overview of permissions per role
| Scope | admin | project_admin | approver | member |
|---|---|---|---|---|
| organization/manage | ✓ | |||
| organization/manage users | ✓ | |||
| organization/create project | ✓ | ✓ | ||
| organization/delete project | ✓ | ✓ | ||
| organization/view projects | ✓ | ✓ | ||
| organization/view installation status | ✓ | ✓ | ✓ | ✓ |
| project/manage members | ✓ | ✓ | ||
| project/create resources | ✓ | ✓ | ✓ | |
| project/delete resources | ✓ | ✓ | ||
| project/view resources | ✓ | ✓ | ✓ | ✓ |
| project/create data contracts | ✓ | ✓ | ✓ | ✓ |
| data_contracts/view | ✓ | ✓ | ✓ | ✓ |
| data_contracts/review | ✓ | ✓ |