Custom Roles

Roles overview

Roles are a collection of access policies that include a set of permissions. There are predefined roles that can be assigned to users within each organization. In addition, custom roles can be created to limit a users access and privileges for specific data sources. Each user can be assigned multiple roles within each organization.

Creating custom roles

To create a custom role, first navigate to the Secberus Admin by clicking on the Organization select menu followed by Manage account.

Navigate to Roles.

Click + New role to bring up the setup screen.

Include the Name of the role, a short Description, and then select one or more Access policies that define the privileges for the role. See Creating access policies for more information.

Creating access policies

To create a new access policy, first navigate to the Secberus Admin section and select the Access policies item.

Click + New policy to bring up the Create a new access policy screen.

Include the Name of the policy and a short Description, then click the Policy editor tab.

Custom access policies can be created using the YAML language. Policies will be composed of two sections: Action and Condition. Permissions are purely additive (there are no "deny" rules).

Example policies

Here is a simple access policy that allows full unrestricted access to a single datasource named "AWS-DS-01":

- action:
    - api:datasources:create
    - api:datasources:read
    - api:datasources:list
    - api:datasources:update
    - api:datasources:delete
  condition:
    - field: datasource.name
      value: AWS-DS-01
      comparator: match

For more complex policies, utilize multiple action and condition blocks:

- action:
    - api:datasources:create
    - api:datasources:read
    - api:datasources:list
    - api:datasources:update
    - api:datasources:delete
  condition:
    - field: datasource.name
      value: AWS-DS-01
      comparator: match
- action:
    - api:exceptions:read
    - api:exceptions:list
  condition:
    - field: exception.name
      value: AWS-DS-01-exception
      comparator: match
- ... more ...

The value block can be constructed with multiple items. Here is a policy that allows read and list permissions for datasources "AWS-DS-02" and "AWS-DS-03" only for users who are in a customer SSO defined group "customer-group-1":

- action:
    - api:datasources:read
    - api:datasources:list
  condition:
    - comparator: oneof
      field: datasource.name
      value:
        - AWS-DS-02
        - AWS-DS-03
    - comparator: match
      field: user.group
      value: customer-group-1

Each logic block can only make reference to a single type of action:

# WRONG/INVALID
- actions:
  - api:datasources:read
  - api:resources:list

# VALID
- actions:
  - api:datasources:read
  - api:datasources:update

You cannot specify the same field multiple times in a single logic block:

# WRONG/INVALID
  condition:
    - comparator: oneof
      field: datasource.name
      value:
        - AWS-DS-02
        - AWS-DS-03
    - comparator: equals
      field: datasource.name
      value: AWS-DS-04

Certain actions are not able to be restricted by condition. The actions "api:logs:list" and "api:test-policy:execute" will not respect any associated conditions.

For example, the following policies are functionally identical:

- actions:
  - "api:logs:list"
  conditions: 
    - comparator: "match"
      field: "log.name"
      value: "*mylog*"

Will behave the exact same way as:

- actions:
  - "api:logs:list"
  conditions: []

Once you have written your policy, click Save to publish it. The policy will then be available to select from when creating and editing custom roles.

📘

Note

You can clone and edit any access policy. This is an easy way to tailor policies for your specific use cases. Navigate to any access policy, click on the settings gear icon, and select Clone policy.