Skip to content

rConfig - RBAC - Role Based Access Control

2 mins V7 Pro

Role Based Access Control (RBAC) is a method of restricting network access based on the roles of individual users within an enterprise. rConfig uses RBAC to provide granular control over the actions that users can perform within the application. This feature is particularly useful in environments where multiple users are interacting with the application, and where it is necessary to restrict access to certain features or data. rConfig’s RBAC system is designed to be flexible and scalable, allowing administrators to create custom roles and assign permissions to those roles.

Roles

rConfig comes with a set of predefined roles, each with a specific set of permissions. These roles are designed to cover a range of use cases, from basic user access to full administrative control. The predefined roles are as follows:

  • admin
  • user
  • guest

These three roles are hard coded system roles, and cannot be removed. To view the roles permissions, click the three dots next to the role, and click Edit. You can then see the permissions for that role. You may deactivate these roles. Though, it is not recommended to deactivate the admin role. Foreach role you will see the assigned users in the main table for convenience. Also, from the users table, you will see which role is assigned to each user.

Custom Roles

In addition to the predefined roles, rConfig allows administrators to create custom roles. Custom roles can be created by clicking the New Role button in the Roles section of the application. When creating a custom role, administrators can specify the name of the role, as well as the permissions that should be assigned to that role. Custom roles can be assigned to users in the same way as predefined roles, and can be used to provide granular control over the actions that users can perform within the application.

When adding a new role, you need to define the role name, description, and then select the permissions you want to assign to that role. You can then assign that role to a user. You can also deactivate the role if you no longer need it. The role defaults to active when created.You will see a toggle All switch to enable or disable all permissions for that role for convenience.

Permissions

When assigning permission you will notice 5 columns. These are the main permissions for rConfig. They are:

  • All
    • This is a toggle switch to enable or disable all permissions for that role.
  • View
    • This permission allows the user to view the data. For example, if you have a role with the View permission for Devices, the user will be able to view the devices in the application.
  • Create
    • This permission allows the user to create new data. For example, if you have a role with the Create permission for Devices, the user will be able to add new devices to the application.
  • Read
    • This permission allows the user to read data. For example, if you have a role with the Read permission for Devices, the user will be able to read the devices in the application.
  • Update
    • This permission allows the user to update data. For example, if you have a role with the Update permission for Devices, the user will be able to update the devices in the application.
  • Delete
    • This permission allows the user to delete data. For example, if you have a role with the Delete permission for Devices, the user will be able to delete the devices in the application.

As for the actual entities for the roles, there are some 40 entities that can be assigned to a role. This is list is valid as of V7.0 and is subject to change. These are:

EntityDescription
ActivityLogThis is the main activity log for the application. It logs all application activity.
ApiConnectionThis is the table for the API connections. It holds all API connection related data.
ApiCredentialThis is the table for the API credentials. It holds all API credentials related data.
ApiEndpointThis is the table for the API endpoints. It holds all API endpoints related data.
BackupThis is the table for the backups. It holds all system backup related data.
CategoryThis is the table for the categories. It holds all categories related data.
CommandThis is the table for the commands. It holds all commands related data.
ConfigThis is the table for the configs. It holds all configs related data.
ConfigChangeThis is the table for the config changes. It holds all config changes related data.
DeviceThis is the table for the devices. It holds all devices related data.
DeviceCredentialsThis is the table for the device credentials. It holds all device credentials related data.
EocDefinitionThis is the table for the EOC definitions. It holds all EOC definitions related data.
IntegrationConfiguredThis is the table for the integration configured. It holds all integration configured related data.
IntegrationDeviceLoaderStagingThis is the table for the integration device loader staging. It holds all integration device loader staging related data.
IntegrationOptionThis is the table for the integration options. It holds all integration options related data.
LdapThis is the table for the LDAP. It holds all LDAP related data.
PermissionThis is the table for the permissions. It holds all permissions related data.
PolicyAssignmentThis is the table for the policy assignments. It holds all policy assignments related data.
PolicyComplianceReportThis is the table for the policy compliance reports. It holds all policy compliance reports related data.
PolicyComplianceResultThis is the table for the policy compliance results. It holds all policy compliance results related data.
PolicyDefinitionThis is the table for the policy definitions. It holds all policy definitions related data.
RestApiLogThis is the table for the REST API logs. It holds all REST API logs related data.
RestApiTokenThis is the table for the REST API tokens. It holds all REST API tokens related data.
RoleThis is the table for the roles. It holds all roles related data.
SettingThis is the table for the settings. It holds all settings related data including, email/ smtp connection and LDAP connection data.
SnippetThis is the table for the snippets. It holds all snippets related data.
TagThis is the table for the tags. It holds all tags related data.
TaskThis is the table for the tasks. It holds all tasks related data.
TaskdownloadreportThis is the table for the task download reports. It holds all task download reports related data.
TemplateThis is the table for the templates. It holds all templates related data.
TrackedJobThis is the table for the tracked jobs. It holds all tracked jobs related data.
UserThis is the table for the users. It holds all users related data.
UserLogActivityThis is the table for the user log activities. It holds all user log activities related data.
VendorThis is the table for the vendors. It holds all vendors related data.
ZabbixThis is the table for the Zabbix. It holds all Zabbix related data.
ZabbixExtractStagingThis is the table for the Zabbix extract staging. It holds all Zabbix extract staging related data.

Assigning Roles

Roles can be assigned to users by editing the user in the Users section of the application. When editing a user, administrators can select the role that should be assigned to that user. Users can be assigned to multiple roles, and the permissions of those roles will be combined to determine the actions that the user can perform within the application.

When editing a user, you will see a list of roles. You can assign multiple roles to a user. You can also deactivate a user if you no longer need them. The user defaults to active when created.

Roles in Devices and snippets

As of V7.0.8 and 7.1.0 you can assign roles to devices and snippets. This is useful if you want to restrict access to devices and snippets based on roles at a more granular level. You can assign multiple roles to a device or snippet. This means that based on your role you will only see the devices, or snippets to which your role has been assigned. To learn more view the Devices and Snippets documentation.

update-rbac-data Command

In the event that you need to update or refresh the RBAC data, you can run the update-rbac-data command from the rConfig CLI. This command will update the RBAC data in the application, and can be useful if you have made changes to the roles or permissions and need to ensure that those changes are reflected in the application. If anything goes wrong with the permissions table, you can run this command to refresh the permissions table with new permissions. Contact support if you need to run this command.

Terminal window
# Command to update or refresh permissions table with new permissions
php artisan rconfig:update-rbac-data