Configure Role-Based Access Control (RBAC) in CFTR
The role-based access control (RBAC) helps the CFTR admins to define and manage user access in CFTR. Using the RBAC, you can manage user access to the CFTR modules/functionality and their data, so that users are granted the required access to accomplish their tasks.
In CFTR, to manage user access, refer to the following access types:
Configure Application Access: Define access to various modules/functionality of the CFTR application.
Configure Data Access: Define access to incidents and actions data based on Allowed Business Units and Allowed Locations.
Configure Protected Incidents: Define access to protected incidents.
Configure RBAC for Orchestrate Playbooks: Define access to Orchestrate Playbook tags.
The above-mentioned access types together control the access of the users in the CFTR application. The following diagram signifies the flow of access in the CFTR application.
Before you Start
Before you configure the data access for users, ensure that the Business Units and Locations are configured in your CFTR application. For more information, see Configure Settings.
Configure Application Access
In the User Groups Management section of the Admin Panel, you can define the permissions for a user group to access various CFTR modules/functionality. There are three types of permissions for every module/functionality:
No Access: The users of a user group do not have permission to view the module/functionality in the CFTR UI.
View: The users of a user group have read-only access to the module/functionality.
Create/Update: The users of a user group have access to manage the data of the module/functionality.
Users with View or Create/Update permission to a module/functionality can access all the data of the module/functionality.
Note
The data-level access of a user to incidents and actions depends on the Allowed Business Units and Allowed Locations. For more information, see Configure Data Access.
You can create multiple user groups for various user roles in your organization and define the permissions for each user group. For more information, see Create User Group.
Steps
To define the application access of a set of CFTR users:
Create a user group.
Define the view and create/update permissions for each module/functionality.
Add users to the user group.
Now the users have View and Create/Update permissions to the module/functionality of CFTR as defined in the user group.
Note
A user can be assigned to multiple user groups and can access the modules/functionality as defined in the user groups.
Configure Data Access
In addition to the Application access (as defined in the User Groups), CFTR admins can further control user access to the data of Incidents and Actions by restricting access to other Business Units and Locations in the User Management section of the Admin Panel. You can define the Allowed Business Units and Allowed Locations in the user profile.
Allowed Business Units: Users can access the data of these business units.
Allowed Locations: Users can access the data of these locations.
When creating or updating the profile of a user In the User Management section, add the business units and locations that the user can access in the Allowed Business Units and Allowed Locations fields respectively.
For more information on how to manage user profiles, see Create User.
Exceptions to the data access permissions are:
Untriaged incidents can be viewed by all the users who have View permission for incidents. But only the users of the assigned user group can edit the untriaged incident.
The participants of an incident or action can access the incident or action even if they do not have data level permissions for the incident or action.
Configure Protected Incidents
In addition to the Application and Data access, you can restrict users from accessing the incidents that contain confidential information by marking the incidents as protected. Only the users of the user group which has View permissions for protected incidents can view or update protected incidents.
In User Group Management, you can create a separate user group for the users who can access protected incidents or provide the View permission to a specific user group.
Configure RBAC for Orchestrate Playbooks
If your CFTR is integrated with Orchestrate, then you can enable the Role based access control of Playbooks to restrict the users of a user group from accessing certain Orchestrate playbooks. You can enable Role based access control of Playbooks from Admin Panel > Configurations > Orchestrate Integration.
Update Playbook Tags in User Groups
In Orchestrate application, all the playbooks are attached to tags that describe the playbook type. You can define user access to a playbook by adding its playbook tag in the user group. In the User Group Management section, in a user group add the playbook tags that the users can access in the Orchestrate Playbook Tags field.