rConfig - RBAC - Role Based Access Control
Role Based Access Control (RBAC) is a method of restricting network access based on the roles of individual users within an enterprise. rConfig uses RBAC to provide granular control over the actions that users can perform within the application. This feature is particularly useful in environments where multiple users are interacting with the application, and where it is necessary to restrict access to certain features or data. rConfig’s RBAC system is designed to be flexible and scalable, allowing administrators to create custom roles and assign permissions to those roles.
Roles
rConfig comes with a set of predefined roles, each with a specific set of permissions. These roles are designed to cover a range of use cases, from basic user access to full administrative control. The predefined roles are as follows:
- admin
- user
- guest
These three roles are hard coded system roles, and cannot be removed. To view the roles permissions, click the three dots next to the role, and click Edit. You can then see the permissions for that role. You may deactivate these roles. Though, it is not recommended to deactivate the admin role. Foreach role you will see the assigned users in the main table for convenience. Also, from the users table, you will see which role is assigned to each user.
Custom Roles
In addition to the predefined roles, rConfig allows administrators to create custom roles. Custom roles can be created by clicking the New Role button in the Roles section of the application. When creating a custom role, administrators can specify the name of the role, as well as the permissions that should be assigned to that role. Custom roles can be assigned to users in the same way as predefined roles, and can be used to provide granular control over the actions that users can perform within the application.
When adding a new role, you need to define the role name, description, and then select the permissions you want to assign to that role. You can then assign that role to a user. You can also deactivate the role if you no longer need it. The role defaults to active when created.You will see a toggle All switch to enable or disable all permissions for that role for convenience.
Permissions
When assigning permission you will notice 5 columns. These are the main permissions for rConfig. They are:
- All
- This is a toggle switch to enable or disable all permissions for that role.
- View
- This permission allows the user to view the data. For example, if you have a role with the
Viewpermission forDevices, the user will be able to view the devices in the application.
- This permission allows the user to view the data. For example, if you have a role with the
- Create
- This permission allows the user to create new data. For example, if you have a role with the
Createpermission forDevices, the user will be able to add new devices to the application.
- This permission allows the user to create new data. For example, if you have a role with the
- Read
- This permission allows the user to read data. For example, if you have a role with the
Readpermission forDevices, the user will be able to read the devices in the application.
- This permission allows the user to read data. For example, if you have a role with the
- Update
- This permission allows the user to update data. For example, if you have a role with the
Updatepermission forDevices, the user will be able to update the devices in the application.
- This permission allows the user to update data. For example, if you have a role with the
- Delete
- This permission allows the user to delete data. For example, if you have a role with the
Deletepermission forDevices, the user will be able to delete the devices in the application.
- This permission allows the user to delete data. For example, if you have a role with the
As for the actual entities for the roles, there are some 40 entities that can be assigned to a role. This is list is valid as of V7.0 and is subject to change. These are:
| Entity | Description |
|---|---|
| ActivityLog | This is the main activity log for the application. It logs all application activity. |
| ApiConnection | This is the table for the API connections. It holds all API connection related data. |
| ApiCredential | This is the table for the API credentials. It holds all API credentials related data. |
| ApiEndpoint | This is the table for the API endpoints. It holds all API endpoints related data. |
| Backup | This is the table for the backups. It holds all system backup related data. |
| Category | This is the table for the Command Group/categories. It holds all Command Group/categories related data. |
| Command | This is the table for the commands. It holds all commands related data. |
| Config | This is the table for the configs. It holds all configs related data. |
| ConfigChange | This is the table for the config changes. It holds all config changes related data. |
| Device | This is the table for the devices. It holds all devices related data. |
| DeviceCredentials | This is the table for the device credentials. It holds all device credentials related data. |
| EocDefinition | This is the table for the CIC (previously known as EOC) definitions. It holds all CIC definitions related data. |
| IntegrationConfigured | This is the table for the integration configured. It holds all integration configured related data. |
| IntegrationDeviceLoaderStaging | This is the table for the integration device loader staging. It holds all integration device loader staging related data. |
| IntegrationOption | This is the table for the integration options. It holds all integration options related data. |
| Ldap | This is the table for the LDAP. It holds all LDAP related data. |
| Permission | This is the table for the permissions. It holds all permissions related data. |
| PolicyAssignment | This is the table for the policy assignments. It holds all policy assignments related data. |
| PolicyComplianceReport | This is the table for the policy compliance reports. It holds all policy compliance reports related data. |
| PolicyComplianceResult | This is the table for the policy compliance results. It holds all policy compliance results related data. |
| PolicyDefinition | This is the table for the policy definitions. It holds all policy definitions related data. |
| RestApiLog | This is the table for the REST API logs. It holds all REST API logs related data. |
| RestApiToken | This is the table for the REST API tokens. It holds all REST API tokens related data. |
| Role | This is the table for the roles. It holds all roles related data. |
| Setting | This is the table for the settings. It holds all settings related data including, email/ smtp connection and LDAP connection data. |
| Snippet | This is the table for the snippets. It holds all snippets related data. |
| Tag | This is the table for the tags. It holds all tags related data. |
| Task | This is the table for the tasks. It holds all tasks related data. |
| Taskdownloadreport | This is the table for the task download reports. It holds all task download reports related data. |
| Template | This is the table for the templates. It holds all templates related data. |
| TrackedJob | This is the table for the tracked jobs. It holds all tracked jobs related data. |
| User | This is the table for the users. It holds all users related data. |
| UserLogActivity | This is the table for the user log activities. It holds all user log activities related data. |
| Vendor | This is the table for the vendors. It holds all vendors related data. |
| Zabbix | This is the table for the Zabbix. It holds all Zabbix related data. |
| ZabbixExtractStaging | This is the table for the Zabbix extract staging. It holds all Zabbix extract staging related data. |
Assigning Roles
Roles can be assigned to users by editing the user in the Users section of the application. When editing a user, administrators can select the role that should be assigned to that user. Users can be assigned to multiple roles, and the permissions of those roles will be combined to determine the actions that the user can perform within the application.
When editing a user, you will see a list of roles. You can assign multiple roles to a user. You can also deactivate a user if you no longer need them. The user defaults to active when created.
Roles in Devices and snippets
As of V7.0.8 and 7.1.0 you can assign roles to devices and snippets. This is useful if you want to restrict access to devices and snippets based on roles at a more granular level. You can assign multiple roles to a device or snippet. This means that based on your role you will only see the devices, or snippets to which your role has been assigned. To learn more view the Devices and Snippets documentation.
update-rbac-data Command
In the event that you need to update or refresh the RBAC data, you can run the update-rbac-data command from the rConfig CLI. This command will update the RBAC data in the application, and can be useful if you have made changes to the roles or permissions and need to ensure that those changes are reflected in the application. If anything goes wrong with the permissions table, you can run this command to refresh the permissions table with new permissions. Contact support if you need to run this command.
# Command to update or refresh permissions table with new permissionsphp artisan rconfig:update-rbac-data