Role-based access control (RBAC)
Access management is a critical function for any organization. Graal Platform role-based access control (RBAC) helps you manage who has access to your resources and services, what they can do with those resources, and what areas they have access to.
What can I do with RBAC?
Here are some examples of what you can do with RBAC:
- Allow one user to manage jobs in a project and another user to manage the networks
- Allow an admin group to manage services in a tenant
- Allow a power user to manage all users, groups and rules
How RBAC works
The way you control access to resources using RBAC is to assign roles. This is a key concept to understand – it's how permissions are enforced. A role assignment consists of three elements: principal, role definition, and scope.
A principal is an object that represents a user, group or identity that is requesting access to resources. You can assign a role to any of these principals.
A role definition is a collection of permissions. It's typically just called a role. A role definition lists the actions that can be performed, such as read, write, and delete. Roles can be high-level, like owner, or specific, like project reader.
Graal Platform includes several built-in roles that you can use. For example, the Project Contributor role allows a user to create and manage jobs inside a project. If the built-in roles don't meet the specific needs of your organization, you can create your own custom roles.
Scope is the set of resources that the access applies to. When you assign a role, you can further limit the actions allowed by defining a scope. This is helpful if you want to make someone a Project Contributor, but only for one resource group.
A role assignment is the process of attaching a role definition to a user, group or identity at a particular scope for the purpose of granting access. Access is granted by creating a role assignment, and access is revoked by removing a role assignment.