This article describes the Role Based Access Control (RBAC) functionality, which enables an account administrator to show/hide data from users, based on the data’s ownership and the users’ access rights. RBAC is especially useful when you need to limit access to sensitive date, such as financial data.
This article includes:
- Configuring RBAC in your account
- Preparing your account for RBAC
- Working in Anodot with RBAC enabled
- Guidelines and limitations
Configuring RBAC in your account
There are three main steps in getting your account set up with RBAC:
Step 1: Contact Anodot (Support / Customer Success) to activate RBAC in your account. Once active, all RBAC settings require admin access to create/edit/delete.
Step 2: Define the access groups, making sure all users belong to the correct group(s):
- From the Navigation Panel, click MANAGEMENT > Users & Groups.
- Review the member list of each group. Note that users can be associated with multiple access groups, allowing them access to all data associated with these groups.
Step 3: Set the access groups for the relevant streams. Note that streams that are not assigned an access group, will not be secured. For more information, see Guidelines and limitations.
- From the Navigation Panel, click INTEGRATIONS > Sources.
- Locate the stream you want to define the access group for.
- Click on the stream name to display the Summary window.
- Click the Access tab, and then click the Edit icon.
- By default, the Stream access to all option switch is enabled. To define specific groups with access, click on this option switch to disable access to all. A dropdown list is displayed, as shown below.
- Select the relevant group(s).
- Click Update. Access to the data produced from this stream is now limited to admins and users in the selected access groups.
Preparing your account for RBAC
Enabling RBAC in your account immediately changes the access privileges for some users. This section describes how to prepare your account for the secure environment RBAC offers, and includes details on how to ensure RBAC works in the following Anodot features:
- Groups: Using RBAC is done at the group level (see Configuring RBAC in your account). Users that do not belong to a group, will not have access to any data.
To make sure all users are assigned to the relevant groups, go to MANAGEMENT > Users & Groups and sort the user list by groups to see which users do not belong to a group. Then use the Bulk Edit and Assign to Group options for the relevant users (see Managing Users and Groups for further information).
- User roles: There are two main user roles to consider - Admins and users.
Admins are not affected by RBAC, and they have access to all data. Therefore, keep only the Admins you need, and turn the rest into regular users.
Users and read-only users are affected by RBAC and their access will be determined by the settings you enforce on the data streams. Make sure they are assigned to the correct groups.
- Data streams: Anodot’s RBAC takes into consideration that access to data is determined at the entry point, which is the data stream. Therefore, make your data streams separated in a way that supports your business/access restrictions. For example, the financial data stream can be limited to financial department members, while the application monitoring data stream can be viewed by all users.
- Alerts & Dashboards: Ensure your alerts and dashboards are built in a way that supports your business. For example, split your alerts and dashboards according to the planned segregation of data. Set your alert owners to be the groups, and not specific users; these groups will later be used as the access groups.
- Channels: To create data segregation, you need the exit point from Anodot to also support this. Create dedicated channels according to the access groups you plan to define.
Working in Anodot with RBAC enabled
This section assumes you are logging in to Anodot as a user, and that you will have access to data according to the access group you belong to.
In general, the data you are expected to see will include:
- Data from streams with your access group defined for them.
- Data from streams that do not have an access group defined for them.
Working in the Metric Explorer
When using the metric explorer with RBAC enabled, the metrics available to you will only be the metrics from streams open to all, and streams open to your access group.
Working in the Alert Console
The alert triggers you will see listed are triggers from alert configurations you have access to. See the following section for more details.
Working with alert configurations and composite metrics
The conditions mentioned above for the metric explorer apply here too. In addition, with RBAC enabled, you are required to save the expressions with explicit streams.
An alert that is owned by a group is visible only to members of that group.
Working with Anomaly boards
The conditions mentioned above for the metric explorer apply here too. With RBAC enabled, you will only see anomalies with data you have access to.
Working with Dashboards
Dashboards usually contain several tiles. Each tile has its own search expression and display options. With RBAC enabled, you will be able to view only the tiles which contain information that is accessible to you.
Other tiles will be covered by a message informing you that you do not have enough privileges to view them.
Guidelines and limitations
The RBAC functionality is opt-in. This means that only data which is explicitly configured to be secured will be secured; all other data is visible to all, as in previous versions.
Note the following guidelines:
- Securing the data is done from the stream by assigning it an access group.
- All data that doesn't come from streams (e.g. REST API) is not secured.
- Streams that are not assigned an access group, are not secured. You can secure them later by setting the access group.
- Secure the data, as well as the alert. If an alert is based on secured data, make sure you set the alert owner to be the same access group.