- Whitehorses - http://blog.whitehorses.nl -

Cloud Control Security: Role-based access control

Tweet [1]

Role-based access control (RBAC) makes for easy management, protection and adoption of Cloud Control.

Essentially Cloud Control is used by administrators to manage and monitor targets in the infrastructure. There are however some interesting views that can benefit other roles (eg: developers, Business Analysts, managers). From a security perspective there are a number of practical things to consider when implementing and rolling out RBAC.

To be able to configure Role-based access control, define some functional fields/roles that might need access to Cloud Control. For these fields/roles create a role and a Privilege Propagation Group.

RBAC Cloud Control [2]

To illustrate role-based access control in Enterprise Manager Cloud Control, let’s implement access for developers to all targets in the developement lifecycle.

We need to create TWO groups:

cc_ppg_cr_administartion_group [3]

I already created a hierarchy based on the Lifecycle Status property.

cc_ppg_administartion_group_hierarchy [4]

Next create the Privilege propagation group.

cc_ppg_menu_create_group [5]

cc_ppg_cr_group_add_targets [6]

Add the targets needed in the group. Here we select the relevant Administartion group. Make sure you enable Privilege Propagation.

That’s all we need to do for the groups.

Next we need to create two roles.

Go to setup > Security > Roles

cc_ppg_menu_roles [7]

Create the role to host the resource privileges.

c-ppg_cr_role_resource_privs [8]

Add the Privilege Propagation Group.

cc_ppg_cr_role_privs_add_PPG_group [9]

Define the resource privileges you want enabled through this role. In this case I want to add Application Performance Managent (APM) and JVM Diagnostics privileges.

cc_ppg_cr_role_resource_privs [10]

When clicking the pencil you can specifically select the needed privileges.

cc_ppg_cr_role_resource_privs_grant_JVMD [11]

You can skip the Roles and Administrators part.

Next create the users role.

cc_ppg_cr_role_props [12]

Link the role with the targets and privileges to the user role.

cc_ppg_add_resprivs_role [13]

Add all ‘administrator’ accounts of the developers. Don’t add any targets or resource privileges.

cc_ppg_add_dev_to_role [14]

Now developers can access only those targets defined in the administration group with the applied privileges. When new developers are added to the user role, they will automatically inherent the privileges of all other developers.

For more info you can read my earlier post on Role-based acces control in Oracle Grid Control 11g [15].