HomeGuidesTerms & ConceptsAPI DocumentationRelease NotesStatus
Guides

Custom Roles

This page explains how to create custom Roles and Access Policies within Secberus.

Suggest Edits

Roles overview

Roles are a collection of access policies that include a set of permissions. There are predefined roles that can be assigned to users within each organization. In addition, custom roles can be created to limit a users access and privileges for specific data sources. Each user can be assigned multiple roles within each organization.

Creating custom roles

To create a custom role, first navigate to the Secberus Admin by clicking on the Organization select menu followed by Manage account.

Manage account

Navigate to Roles.

Click + New role to bring up the setup screen.

New role

Include the Name of the role, a short Description, and then select one or more Access policies that define the privileges for the role. See Creating access policies for more information.

Create role

Creating access policies

To create a new access policy, first navigate to the Secberus Admin section and select the Access policies item.

Click + New policy to bring up the Create a new access policy screen.

Access policies

Include the Name of the policy and a short Description, then add the policy details in the Policy editor.

1435

Custom access policies can be created using the YAML language. Policies will be composed of two sections: Actions and Conditions. Permissions are purely additive (there are no "deny" rules).

KeyValue
Actions API Permissions

api:datasources:create
api:datasources:delete
api:datasources:read
api:datasources:update

See complete list of api action permissions
Conditions Attributes

- category.name
- framework.name
- datasource.name
- datasource.typeSee complete list of available attributesComparatorsString conditions:
- equals: "abc123"
- prefix: "PRE_"
- suffix: "_SUF"
- match: "bc12"
- oneof: "bc123"

Example policies

Here is a simple access policy that allows full unrestricted access to a single datasource named "AWS-DS-01":

- actions:
    - api:datasources:create
    - api:datasources:read
    - api:datasources:update
    - api:datasources:delete
  conditions:
    - field: datasource.name
      value: AWS-DS-01
      comparator: match

For more complex policies, utilize multiple actions and conditions blocks:

- actions:
    - api:datasources:create
    - api:datasources:read
    - api:datasources:update
    - api:datasources:delete
  conditions:
    - field: datasource.name
      value: AWS-DS-01
      comparator: match
- actions:
    - api:exceptions:read
  conditions:
    - field: exception.name
      value: AWS-DS-01-exception
      comparator: match
- ... more ...

The value block can be constructed with multiple items. Here is a policy that allows read permissions for datasources "AWS-DS-02" and "AWS-DS-03" only for users who are in a customer SSO defined group "customer-group-1":

- actions:
    - api:datasources:read
  conditions:
    - comparator: oneof
      field: datasource.name
      value:
        - AWS-DS-02
        - AWS-DS-03
    - comparator: match
      field: user.group
      value: customer-group-1

Each logic block that contains conditions can only make reference to a service type, i.e. only datasources type:

# WRONG/INVALID
- actions:
    - api:datasources:read
    - api:exceptions:read
  conditions:
    - field: datasource.name
      value: AWS-DS-01
      comparator: match

# VALID
- actions:
    - api:datasources:read
  conditions:
    - field: datasource.name
      value: AWS-DS-01
      comparator: match
- actions:
    - api:exceptions:read
  conditions: []

Logic blocks with multiple service types are valid as long as there aren't any conditions associated with them:

# VALID
- actions:
    - api:datasources:read
    - api:exceptions:read
  conditions: []

You cannot specify the same field multiple times in a single logic block:

# WRONG/INVALID
  conditions:
    - comparator: oneof
      field: datasource.name
      value:
        - AWS-DS-02
        - AWS-DS-03
    - comparator: equals
      field: datasource.name
      value: AWS-DS-04

Certain actions are not able to be restricted by condition. The actions "api:logs:read" and "rpc:queries:execute" will not respect any associated conditions.

For example, the following policies are functionally identical:

- actions:
    - "api:logs:read"
  conditions: 
    - comparator: "match"
      field: "log.name"
      value: "*mylog*"

Will behave the exact same way as:

- actions:
    - "api:logs:read"
  conditions: []

Once you have written your policy, click Save to publish it. The policy will then be available to select from when creating and editing custom roles.

📘

Note

You can clone and edit any access policy. This is an easy way to tailor policies for your specific use cases. Navigate to any access policy, click on the more menu icon, and select Clone policy.

Updated about 1 month ago