Follow Us on Twitter

Cloud Control Security: Role-based access control

by Tony van Esch on November 29, 2013 · 0 comments

Role-based access control (RBAC) makes for easy management, protection and adoption of Cloud Control.

Essentially Cloud Control is used by administrators to manage and monitor targets in the infrastructure. There are however some interesting views that can benefit other roles (eg: developers, Business Analysts, managers). From a security perspective there are a number of practical things to consider when implementing and rolling out RBAC.

  • Use roles (never individual granted privileges)
  • Least privilege principle (protection, resposibilities)
  • Use Privilege Propagation Groups (easy of administration)
  • Audit grants

To be able to configure Role-based access control, define some functional fields/roles that might need access to Cloud Control. For these fields/roles create a role and a Privilege Propagation Group.

RBAC Cloud Control

To illustrate role-based access control in Enterprise Manager Cloud Control, let’s implement access for developers to all targets in the developement lifecycle.

We need to create TWO groups:

  • Administration group for aggregating targets based on one or more properties. Target membership is dynamic based on the properties of targets. Working with administration groups will be covered more detailed in a separate blog.
  • Privilege Propagation group (PPG) for implementing privilege propagating on the connected targets

cc_ppg_cr_administartion_group

I already created a hierarchy based on the Lifecycle Status property.

cc_ppg_administartion_group_hierarchy

Next create the Privilege propagation group.

cc_ppg_menu_create_group

cc_ppg_cr_group_add_targets

Add the targets needed in the group. Here we select the relevant Administartion group. Make sure you enable Privilege Propagation.

That’s all we need to do for the groups.

Next we need to create two roles.

  • role for connecting the Privilege propagation group and the needed resource privileges.
  • role for grouping accounts (like our fine developers)

Go to setup > Security > Roles

cc_ppg_menu_roles

Create the role to host the resource privileges.

c-ppg_cr_role_resource_privs

Add the Privilege Propagation Group.

cc_ppg_cr_role_privs_add_PPG_group

Define the resource privileges you want enabled through this role. In this case I want to add Application Performance Managent (APM) and JVM Diagnostics privileges.

cc_ppg_cr_role_resource_privs

When clicking the pencil you can specifically select the needed privileges.

cc_ppg_cr_role_resource_privs_grant_JVMD

You can skip the Roles and Administrators part.

Next create the users role.

cc_ppg_cr_role_props

Link the role with the targets and privileges to the user role.

cc_ppg_add_resprivs_role

Add all ‘administrator’ accounts of the developers. Don’t add any targets or resource privileges.

cc_ppg_add_dev_to_role

Now developers can access only those targets defined in the administration group with the applied privileges. When new developers are added to the user role, they will automatically inherent the privileges of all other developers.

For more info you can read my earlier post on Role-based acces control in Oracle Grid Control 11g.

Cloud Control Security: Role-based access control, 4.0 out of 5 based on 1 rating

Ratings:
VN:F [1.9.22_1171]
Rating: 4.0/5 (1 vote cast)

Leave a Reply

Your email address will not be published. Required fields are marked *

*

* Copy This Password *

* Type Or Paste Password Here *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

 

Previous post:

Next post:

About Whitehorses
Company profile
Services
Technology

Whitehorses website

Home page
Whitebooks
Jobs

Follow us
Blog post RSS
Comment RSS
Twitter