rbac

About Client

Our client is a prominent provider of cloud-based communications to businesses and consumers who can communicate through any device using cloud-hosted chat, video, voice, and short message service.
We partnered with them to develop:

  • An automated solution to deliver on all aspects of RBAC right from employee onboarding to employee off boarding.
  • A fine-grained access control approach to set up clearly defined roles, permissions and protocols by implementing the principle of least privilege thereby reducing the risk of granting unwarranted access.
  • An auditing and reporting functionality to provide objective insight, optimize operational efficiency, and ensure compliance with standards and regulations.

Business Need

Challenges

Technical Details

Our system consists of two main applications — RBAC Admin Management and RBAC Provisioning. The deeper dynamics are given as follows:

RBAC Admin Management

The main personas are Admin, Owner, Approver, Manager and Auditor, which are managed through RBAC Admin Management as follows:

  • Admin: This persona allows admin to manage users and other admins, add and deactivate business role (BR), add and remove applications list and related permissions keys, and manage business role owners and approvers. A BR can only contain those applications that are incorporated by the RBAC handlers. Thereafter, owners can add applications to BR and update the configuration of the application and send it for approval. Owners are validated by OKTA APIs.
  • Owner: This persona deals with users who are responsible for managing individual business roles. It provides functionality of managing the addition/removal of applications and their respective permissions in a particular BR. Once the owner makes the changes, they are shared with an approver for approval, and the owner can also send reminders to the approver for follow-up purposes.
  • Approver: This persona checks the configuration of BR with the specific application configuration. An approver cannot make changes to BR; sh/e can only approve or reject changes.
  • Manager: This persona allows a manager to look at tickets created for a role change, which applications have been granted/revoked as part of role change and the corresponding user details. S/he can also assign a role to a new or existing user.
  • Auditor: This persona is implemented as a part of compliance requirements. An auditor can only track the progress of any application in terms of user access to the application, roles assigned to the users, and changes requested/approved for the business roles.

RBAC Admin Management Flowchart 1

RBAC Provisioning

The process of user login in the RBAC system is managed by Okta SSO. For providing permissions inside the web application, we are using Okta groups. For the assignment of a particular okta-group, we have defined the level of access in the web application. Any user with a valid assignment of any of the personas’ respective okta-group will be able to login into the web application.

The RBAC provisioning application is created inside AWS Cloud. When there is a change in Business Role (BR) for a specific user or when it is set/reset, the application is triggered by a REST endpoint from Okta workflow. It then triggers an automation workflow where application specific handlers work on provisioning and setting up appropriate access for a user or change access to applications based on BR Mapping. The same automation workflow is applicable in the case of deprovisioning roles.

In the case of reprovisioning, when BR mapping changes then RBAC finds all the users in that BR and forces provisioning calls for the concerned users.

API Gateway allows only Okta server IP addresses to access the Gateway REST API.

Architecture

The solution leverages AWS Serverless technology for hosting the web application. The following details provide a snapshot of the various technologies used to build the various components of the solution right from the user interface to the database management system.

Solution architecture

Business Impact

  • Compliance:  Compliance with standardized regulatory and statutory requirements related to security, confidentiality and privacy is made possible. The solution reduces risk of audit exceptions for new/modified access compliance requirements through the feature of periodic certification.
  • Traceability: Comprehensible role creation and access authorization helps to trace and track which employee has been assigned which roles, approved by whom, and for what purpose.
  • Auto approval of JIRA access tickets: This functionality saves a lot of time as managers need not to be chased for approvals because JIRA access tickets are auto-approved.
  • Reduced administrative work: There is less administrative work as comprehensive rules and triggers are maintained and changed through our automated solution.
  • Integration of new hires:  The onboarding process is made smoother as there is crystal-clear clarity in roles and their related privileges.

Future Direction

  • Scale the existing solution as a hub and spoke configuration in case the client includes new systems that hold raw, reference data.
  • Integrate with mobile-based apps through APIs.

Technology

react
logo-python
logo-API-gateway
okkata

Related Contents

5 minutes read

Data Orchestration Ecosystem

Facilitating the seamless processing of vast amounts of data from multiple sources for analytical purposes.
Implemented a comprehensive data pipeline that involves the collection, transformation, validation, and enrichment of raw data into a human-readable format.

Know more
5 minutes read

Auth0 IAM implementation for Zero
trust Networking platform

A leading provider of media optimization solutions recognized the need for a robust Identity and Access Management (IAM) solution to strengthen their security framework and streamline user access to their platform. 

Know more
5 minutes read

Okta to Azure AD Migration

The client, a multinational organization, had been using Okta as their primary identity and access management (IAM) solution for several years. However, due to a strategic organizational decision, they decided to migrate their IAM infrastructure from Okta to Azure Active Directory (Azure AD).

Know more