Roles are a collection of access policies that include a set of permissions. There are predefined roles that can be assigned to users within each organization. In addition, custom roles can be created to limit a users access and privileges for specific data sources. Each user can be assigned multiple roles within each organization.
To create a custom role, first navigate to the Secberus Admin by clicking on the Organization select menu followed by Manage account.
Navigate to Roles.
Click + New role to bring up the setup screen.
Include the Name of the role, a short Description, and then select one or more Access policies that define the privileges for the role. See Creating access policies for more information.
To create a new access policy, first navigate to the Secberus Admin section and select the Access policies item.
Click + New policy to bring up the Create a new access policy screen.
Include the Name of the policy and a short Description, then click the Policy editor tab.
Custom access policies can be created using the YAML language. Policies will be composed of two sections: Action and Condition. Permissions are purely additive (there are no "deny" rules).
See complete list of api action permissions
See complete list of available attributes
- equals: "abc123"
- prefix: "PRE_"
- suffix: "_SUF"
- match: "bc12"
- oneof: "bc123"
Here is a simple access policy that allows full unrestricted access to a single datasource named "AWS-DS-01":
- action: - api:datasources:create - api:datasources:read - api:datasources:list - api:datasources:update - api:datasources:delete condition: - field: datasource.name value: AWS-DS-01 comparator: match
For more complex policies, utilize multiple action and condition blocks:
- action: - api:datasources:create - api:datasources:read - api:datasources:list - api:datasources:update - api:datasources:delete condition: - field: datasource.name value: AWS-DS-01 comparator: match - action: - api:exceptions:read - api:exceptions:list condition: - field: exception.name value: AWS-DS-01-exception comparator: match - ... more ...
The value block can be constructed with multiple items. Here is a policy that allows read and list permissions for datasources "AWS-DS-02" and "AWS-DS-03" only for users who are in a customer SSO defined group "customer-group-1":
- action: - api:datasources:read - api:datasources:list condition: - comparator: oneof field: datasource.name value: - AWS-DS-02 - AWS-DS-03 - comparator: match field: user.group value: customer-group-1
Each logic block can only make reference to a single type of action:
# WRONG/INVALID - actions: - api:datasources:read - api:resources:list # VALID - actions: - api:datasources:read - api:datasources:update
You cannot specify the same field multiple times in a single logic block:
# WRONG/INVALID condition: - comparator: oneof field: datasource.name value: - AWS-DS-02 - AWS-DS-03 - comparator: equals field: datasource.name value: AWS-DS-04
Certain actions are not able to be restricted by condition. The actions "api:logs:list" and "api:test-policy:execute" will not respect any associated conditions.
For example, the following policies are functionally identical:
- actions: - "api:logs:list" conditions: - comparator: "match" field: "log.name" value: "*mylog*"
Will behave the exact same way as:
- actions: - "api:logs:list" conditions: 
Once you have written your policy, click Save to publish it. The policy will then be available to select from when creating and editing custom roles.
You can clone and edit any access policy. This is an easy way to tailor policies for your specific use cases. Navigate to any access policy, click on the settings gear icon, and select Clone policy.
Updated 2 days ago