1 Reply Latest reply on Jun 8, 2007 11:16 AM by Paul Williamson

    RBAC Design, sub-RBACAdmins roles

      I am in the process of designing our initial RBAC layout, and can’t quite get my head around it. Here’s what I’m trying to do.


      We have several distinct groups in our organization that I’d like to assign Roles for. For each of those groups I’d like to start by creating three Roles; Group_Full_Access, Group_Read_Only, and Group_RBACAdmins. Then, each of these Roles would only have access to their own servers. Using this method, a member of GroupA_Full_Access could not see or manage any servers in GroupB_Full_Access. I am having trouble understanding where I limit what a Role can access. For example, the Role has Server.*, but I don’t see where to specify for which servers that applies.


      After I have created the three roles, I’d like to get out of the mix as much as possible, while still maintaining the keys to RBACAdmins. My thought is that I can give our group leaders access to the Group_RBACAdmins Role, and they could assign users to the other two groups as desired. I think that’s just a function of User.*, but again I’m not sure how to limit their scope to only being about to change members of their own groups.


      To further the desire, I’d like those group leaders (members of Group_RBACAdmins) to be able to add additional Group_otherpermissions Roles as they see fit, with out having to involve the master RBACAdmins Role, however I’m not sure how that might work. I’m thinking the RBACAdmins Role would need to create the new Role initially, then let the Group_RBACAdmins Role alter it. Using this method, users could manage their own groups, creating and modifying Roles as they see fit based on their own business needs. Again, they should only be able to do this for servers under their control.


      Since I’m very new at this and haven’t done extensive testing yet, I’m not sure if what I’m describing is possible. Can you please let me know if this all sounds like a workable plan, and maybe offer ways to archive these goals?




        • 1. Re: RBAC Design, sub-RBACAdmins roles



          You should be able to achieve this setup by creating a 'local' Group_RBACAdmins role for each group with the relevant authorizations such as







          With these 'RBAC' roles the Group_Full_Access, Group_Read_Access etc roles can be created for each group by the group leaders. Additional roles and users can be added/created as desired (if the users already exist then permissions on the user object will need to be set to allow the Group_RBACAdmin access to these users)


          Remember for server access the role must have Server.* (if full access is required) and the server object permissions must be set to allow access to the role.