Custom Role-Based Access Control (RBAC) allows administrators to modify user access beyond standard system roles within the Bitsight platform. Custom roles function as overrides to existing system user roles, enabling more granular control over specific privileges.
Custom Roles
Custom roles allow you to grant or remove Application Access that a user would otherwise have, or not have, based on their base system user role.
Key points:
- Custom roles do not replace system user roles; they modify them.
- Multiple custom roles can be assigned to a single user.
- When permissions from multiple roles conflict, any allowing access to an app in one role overrides app denial from any other role.
Accessing and Managing Custom Roles
Custom role creation and management are available from the Access Control page under the Custom Roles tab.
Administrators can:
- Create and edit custom roles from a dedicated Custom Roles tab.
- Modify role privileges.
- Delete roles.
- Add or remove users from roles in bulk.
- Assign roles directly to users from the Create User and Edit User modals on the Users tab in Access Control.
Permission Behavior and Overrides
- Custom roles can be used to toggle permissions on or off that a user would normally have through their company or system role.
- Custom roles cannot grant permissions that a user is not eligible for based on their existing roles.
Example: If a user has the SPM/CM role set to None, granting SPM access via a custom role will not allow that user to access SPM.
Safeguards and Best Practices
To prevent accidental lockouts:
- To add Command Center access: a role must grant access to 2 or more of the SPM, CM, VRM, and TMH apps.
- Roles must include at least 1 app.
- Trust Management Hub does not have Access Control access. A Trust Management Hub only role will not be able to modify Custom Roles and users in them.
- These safeguards are designed to prevent users or administrators from locking themselves out of the platform.
Because custom roles can interact in complex ways:
- Use caution when creating and applying roles.
- Carefully review role combinations to avoid conflicts or unintended access restrictions.
Please note:
The new Custom RBAC feature currently has a limited scope:
- Application Access Only: Initial support is limited to managing application access privileges.
- API Access Not Restricted: Due to technical limitations, custom roles do not currently restrict API access.
SSO/SAML Not Supported: SSO/SAML integration is not available in this initial launch. Custom Roles work in combination with SAML provisioned users as other roles are not affected or replaced by Custom Roles.
Feedback
0 comments
Please sign in to leave a comment.