Role-based access control (RBAC) makes for easy management, protection and adoption of Cloud Control.
Essentially Cloud Control is used by administrators to manage and monitor targets in the infrastructure. There are however some interesting views that can benefit other roles (eg: developers, Business Analysts, managers). From a security perspective there are a number of practical things to consider when implementing and rolling out RBAC.
- Use roles (never individual granted privileges)
- Least privilege principle (protection, resposibilities)
- Use Privilege Propagation Groups (easy of administration)
- Audit grants
To be able to configure Role-based access control, define some functional fields/roles that might need access to Cloud Control. For these fields/roles create a role and a Privilege Propagation Group.
To illustrate role-based access control in Enterprise Manager Cloud Control, let’s implement access for developers to all targets in the developement lifecycle.
We need to create TWO groups:
- Administration group for aggregating targets based on one or more properties. Target membership is dynamic based on the properties of targets. Working with administration groups will be covered more detailed in a separate blog.
- Privilege Propagation group (PPG) for implementing privilege propagating on the connected targets
I already created a hierarchy based on the Lifecycle Status property.
Next create the Privilege propagation group.
Add the targets needed in the group. Here we select the relevant Administartion group. Make sure you enable Privilege Propagation.
That’s all we need to do for the groups.
Next we need to create two roles.
- role for connecting the Privilege propagation group and the needed resource privileges.
- role for grouping accounts (like our fine developers)
Go to setup > Security > Roles
Create the role to host the resource privileges.
Add the Privilege Propagation Group.
Define the resource privileges you want enabled through this role. In this case I want to add Application Performance Managent (APM) and JVM Diagnostics privileges.
When clicking the pencil you can specifically select the needed privileges.
You can skip the Roles and Administrators part.
Next create the users role.
Link the role with the targets and privileges to the user role.
Add all ‘administrator’ accounts of the developers. Don’t add any targets or resource privileges.
Now developers can access only those targets defined in the administration group with the applied privileges. When new developers are added to the user role, they will automatically inherent the privileges of all other developers.
For more info you can read my earlier post on Role-based acces control in Oracle Grid Control 11g .