Before you implement Role-Based Access Controls (RBAC), you should determine which roles your organization requires, based on your users, the activities you need them to perform, and the data you need them to access.
There are three steps to implement RBAC. You can do these steps in any order, but we suggest that you perform them in the following order:
-
Create your Data Access Set.
-
Create your users.
-
Create your Roles.
Creating your Data Access Sets (DAS)
A Data Access Set is a configurable way to limit data visibility. When paired with a Role, it exposes only the data configured within the DAS to the users of the Role. When you create a Data Access Set, you are essentially creating a folder with an optional set of rules that would filter all incoming collaborative platform content so that only the data you specify is available in that Data Access Set to be used for Signal policies and events, and Searches. A Data Access Set can be comprised of entire content platforms, or Azure Active Directory groups, or narrowed down to sources such as a single platform group (e.g. a specific Slack channel).
Method 1 - Enable Default Data Access Set:
- Go to System Settings > Account Configuration
- Scroll to Access Control Setting
- Click the slider to Enable Default Data Access set
- Aware’s Default Data Access Set includes all data sources integrated within your Aware tenant and keep it up-to-date with all integrations in the tenant. When enabled, the Default Data Access Set is available to use for managing what data roles are able to access within your Aware environment. This does not affect your ability to create custom Data Access Sets.
NOTE: If you will only be allowing a select few users access to Aware this option may be for you. This option is an easy way to get up in running with Data Access Sets especially if you don't find the need to utilize the robust Data Access Set creation. Once toggled on this cannot be undone.
Method 2 - Creating a Data Access Set directly:
-
Go to System Settings > Roles.
-
Select New Data Access Set from the Actions drop-down menu.
-
Enter a Data Access Set name:
-
-
Name must be unique.
-
Maximum of 100 characters.
-
Special characters are allowed with no restrictions.
-
Not case sensitive.
-
-
-
Enter a Data Access Set description
-
-
Maximum of 255 characters.
-
Special characters are allowed with no restrictions.
-
-
-
Select one or more collaborative content platforms whose data you want accessible in the data set.
-
For each selected content platform, you can click Choose Platforms or Choose what is included to further filter the data going into the data set. You can filter by sources, such as General, Public, or Private Channels in Slack.
NOTE: If you do not select Choose Platforms or Choose what is included, then all sources within the selected collaborative content platforms, with the exception of platform groups, are automatically included as filters for the data from those platforms.
-
You can also filter by platform group within a content platform by searching for its name.
-
-
Click Choose groups in the Choose Platform Groups (Optional) section.
-
Type the name of the group in the Find groups by name search field.
-
Select Add for the group that you want to add to the Data Access Set. The group is listed in Selected Groups.
-
You can add additional platform groups by searching by name and selecting the appropriate group. When all platform groups have been selected, click Save Groups. The selected platform groups will be listed in the Included AAD Groups section of the New Data Access Set screen.
-
-
-
You can also select specific Azure Active Directory (AAD) Groups to add to the Data Access Set. Adding an AAD Group will limit the scope of data available to use in Aware applications for associated Roles.
-
-
To select a group, click Choose groups in the Choose Azure Active Directory Groups (Optional) section.
-
Type the name of the group in the Find groups by name search field. As you type characters, groups that match the characters will be listed.
-
-
-
-
-
Select Add for the group that you want to add to the Data Access Set. The group is listed in Selected Groups.
-
You can add additional AAD groups by typing their names in the Find groups by name search field and selecting Add for each group that you want to add to the Data Access Set.
-
-
-
-
-
When all AAD groups have been selected, click Add Groups. The selected AAD groups will be listed in the Included AAD Groups section of the New Data Access Set screen.
-
-
- Click Save Data Access Set
Method 3 - Creating a Data Access Set while creating a Role:
You can also create a Data Access Set while you are creating a Role.
-
Go to System Settings > Roles and click +New Role.
-
Enter Role name.
-
-
Must be unique.
-
Maximum of 100 characters.
-
Not case sensitive
-
Special characters are allowed and there are no restrictions on the characters.
-
Required field.
-
-
-
Enter Role Description
-
-
Maximum of 255 characters.
-
Special characters are allowed and there are no restrictions on the characters.
-
Not case sensitive.
-
Does not need to be unique.
-
Optional field, but very helpful in determining which roles to assign to users.
-
-
-
Click Permissions
-
Select which Signal or Search & Discover permissions you want to assign to the role.
-
-
For Signal, the following permissions are available:
-
Signal Admin - Allows complete Data Access as well as access to all Policies and Rules in Signal.
-
Manage Policies - Allows creating, editing and deleting of authorized Signal policies. Selecting this also sets the Manage Rules and View Policies and Rules permissions. Policy Creators can create policies and invite other Creators and Event Managers to policies they created or have been invited to. They can see which users are given permissions to a policy they created or have been invited to, modify the roles of Creators and Event Managers (for example, upgrade an Event Manager’s permission level to Creator), and add and remove Creators and Event Managers on a policy they created or have been invited to.
-
Manage Rules - Allows creating, editing and deleting of rules associated with authorized Signal policies. Selecting this also sets the View Policies and Rules permission.
-
Manage Events - Allows taking action (tombstoning, deleting, exporting, etc.) on events associated with authorized Signal policies. Selecting this also sets the View Policies and Rules and View Events permissions. Event Managers can view and manage events for policies they have been invited to. They cannot create policies or see policies they have not been invited to, and have no invite capability.
-
View Policies and Rules - Allows viewing of Signal policies and their associated rules. This permission can be set independently.
-
View Events - Allows viewing of events associated with authorized Signal policies. Selecting this also sets the View Policies and Rules permission.
-
-
For Search & Discover, the following permissions are available:
-
Search and Discover Admin - Allows complete Data Access as well as access to all searches
-
Manages Searches - If your role is a Search Manager, you have Manage Searches and View Searches permissions by default. By itself, these allow you to create a new search for any Data Access Set that you are authorized to access, and to view and rerun any search that you can access. However, you cannot mark or export results. An Aware Admin can add Manage Search Results permission, or make you a Search Admin, Search Result Manager, or Search Viewer.
-
Manage Search Results - If your role is a Search Result Manager, you have Manage Search Results and View Searches permissions by default. By itself, these allow you to view and mark results for any search that you are authorized to access and to export its results. However, you cannot create a new search, update an existing search, or rerun an existing search. An Aware Admin can add Manage Searches permission, or make you a Search Admin, Search Manager, or Search Viewer.
-
View Searches - If your role is a Search Viewer, you have View Searches permission by default. By itself, this allows you to view search that you are authorized to access, along with its results. However, you cannot create a new search, rerun prior searches, or mark or export results of prior searches. An Aware Admin can add Manage Search Results and/or Manage Searches permission, or make you a Search Admin, Search Manager, or Search Result Manager.
-
-
-
-
Select Data Access
-
Click Add Data Access Set.
-
Click New Data Access Set.
-
Enter a Data Access Set name:
-
-
Name must be unique.
-
Maximum of 100 characters.
-
Special characters are allowed with no restrictions on characters.
-
Not case sensitive.
-
-
-
Enter a Data Access Set description:
-
-
Maximum of 255 characters.
-
Special characters are allowed with no restrictions on characters.
-
-
-
Select one or more collaborative content platforms whose data you want accessible in the data set.
-
For each selected content platform, you can click Choose Platforms or Choose what is included to further filter the data going into the data set. You can filter by sources, such as General, Public, or Private Channels in Slack.
NOTE: If you do not select Choose Platforms or Choose what is included, then all sources within the selected collaborative content platforms, with the exception of platform groups, are automatically included as filters for the data from those platforms
-
You can also filter by platform group within a content platform by searching for its name.
-
-
Click Choose groups in the Choose Platform Groups (Optional) section.
-
Type the name of the group in the Find groups by name search field.
-
Select Add for the group that you want to add to the Data Access Set. The group is listed in Selected Groups.
-
You can add additional platform groups by searching by name and selecting the appropriate group. When all platform groups have been selected, click Save Groups. The selected platform groups will be listed in the Included AAD Groups section of the New Data Access Set screen.
-
-
-
You can also select specific Azure Active Directory Groups to add to the Data Access Set.
-
-
To select a group, click Choose groups in the Choose Azure Active Directory Groups (Optional) section.
-
Type the name of the group in the Find groups by name search field. As you type characters, groups that match the characters will be listed.
-
-
-
-
-
Select Add for the group that you want to add to the Data Access Set. The group is listed in Selected Groups.
-
You can add additional AAD groups by typing their names in the Find groups by name search field and selecting Add for each group that you want to add to the Data Access Set.
-
-
-
-
When all AAD groups have been selected, click Add Groups. The selected AAD groups will be listed in the Included AAD Groups section of the New Data Access Set screen.
-
- Click Save Data Access Set.
Changing a Data Access Set
There are few things to consider when changing a Data Access Set associated with a Signal Policy:
- Changing a Data Access Sets means potentially changing who has access to the policy as well as what permissions they have with that policy (e.g. one user may be in two different roles that have Signal permissions - perhaps one is “event viewing only” but the other includes the ability to export events).
- Prior to updating a Data Access Set on a policy, the user should inventory the users, roles, and permissions associated with the current and future Data Access Set prior to making the change.
- When changing a Data Access Set for an existing Signal policy, historical events will remain unchanged. If this isn’t acceptable, the user should create a new policy.
- It’s possible changing a Data Access Set can impact Rule audience scope - rules which are impacted (meaning the audience definition conflicts with the DAS definition) will be deactivated until reviewed and reactivated. The UI will inventory and guide the end user to which rules were impacted.