Planning RBAC Infrastructure

Estimated Reading Time:  6 minutes

Overview

When planning RBAC infrastructure, rigorously testing is necessary to ensure your RBAC RBAC (Role-Based Access Control) is a method to control system access for authorized users. The role in RBAC refers to the levels of access employees have to a network. works correctly. The goal of your infrastructure is to only allow end-users End-users, also known as Express Users, are the individuals accessing an application through Express View. In most cases, end-users are the customers using the product. to view specific submission data based on their role and group. Start by listing all the end-users and then map the submissions each account need access to.

NOTE  This article relies on the RBAC infrastructure laid out in our Building a Client's RBAC Requirements article. Refer back to that sample infrastructure if you need clarity on the role hierarchy or groups at any point in this article.

What You'll Learn

In this article, you'll learn how to prepare your RBAC infrastructure.

Creating Test Accounts

It's a best practice to use two accounts for every role and group. That way, you can test each role and group twice to confirm the RBAC is correct. For this example, two agencies exist: Agency 1 and Agency 2. Each agency requires City Admin, Agency Admin, Program Manager, and Client roles. For testing purposes, create two accounts of each role for each agency. For example, Agency Admin 1A and Agency Admin 1B for Agency 1. Then, Agency Admin 2A and Agency Admin 2B accounts for Agency 2.

Below are examples of each account:

City Admin

City Admin A

City Admin B

Agency Admin

Agency Admin 1A

Agency Admin 1B

Agency Admin 2A

Agency Admin 2B

Program Manager

Program Manager 1A

Program Manager 1B

Program Manager 2A

Program Manager 2B

Client

Client 1A

Client 1B

Client 2A

Client 2B

To test the RBAC infrastructure, create unique logins for each account. It's a best practice to use variations of your own email address for ease of testing. Begin with your email address. Then, add a + (plus sign) followed by a unique string between the user name and the @ (at sign). This string should clearly represents the email address for the account. For example, the email address for the City Admin A account can be your_email+caa@unqork.com.

Below are examples of each account's email address:

Name Email

City Admin A

your_email+caa@unqork.com

City Admin B

your_email+cab@unqork.com

Agency Admin 1A

your_email+aa1a@unqork.com

Agency Admin 1B

your_email+aa1b@unqork.com

Agency Admin 2A

your_email+aa2a@unqork.com

Agency Admin 2B

your_email+aa2b@unqork.com

Program Manager 1A

your_email+pm1a@unqork.com

Program Manager 1B

your_email+pm1b@unqork.com

Program Manager 2A

your_email+pm1b@unqork.com

Program Manager 2B

your_email+pm2b@unqork.com

Client 1A

your_email+c1a@unqork.com

Client 1B

your_email+c1b@unqork.com

Client 2A

your_email+c2a@unqork.com

Client 2B

your_email+c2b@unqork.com

Mapping Submission Access

Next, determine which data each account should access. It's useful to do this visually with tables displaying which submission data the account can access. In the following tables, colored cells indicate that the account in the column header has access to the submission data of the role to the left of that cell. Use these charts as worksheets to record your tests and confirm that your RBAC is set up correctly.

City Admin

The table below states that the City Admin roles must have access to all submissions.

  City Admin A City Admin B

City Admin A

 

 

City Admin B

 

 

Agency Admin 1A

 

 

Agency Admin 1B

 

 

Agency Admin 2A

 

 

Agency Admin 2B

 

 

Program Manager 1A

 

 

Program Manager 1B

 

 

Program Manager 2A

 

 

Program Manager 2B

 

 

Client 1A

 

 

Client 1B

 

 

Client 2A

 

 

Client 2B

 

 

Agency Admin

Agency Admin roles must have access to submissions from the City Admin accounts and anyone in their agency.

 

Agency Admin 1A

Agency Admin 1B Agency Admin 2A Agency Admin 2B

City Admin A

 

 

 

 

City Admin B

 

 

 

 

Agency Admin 1A

 

 

 

 

Agency Admin 1B

 

 

 

 

Agency Admin 2A

 

 

 

 

Agency Admin 2B

 

 

 

 

Program Manager 1A

 

 

 

 

Program Manager 1B

 

 

 

 

Program Manager 2A

 

 

 

 

Program Manager 2B

 

 

 

 

Client 1A

 

 

 

 

Client 1B

 

 

 

 

Client 2A

 

 

 

 

Client 2B

 

 

 

 

Program Managers

Program Manager roles must have access to submissions from all clients in their program, but not from other Program Manager roles.

 

Program Manager 1A

Program Manager 1B

Program Manager 2A

Program Manager 2B

City Admin A

 

 

 

 

City Admin B

 

 

 

 

Agency Admin 1A

 

 

 

 

Agency Admin 1B

 

 

 

 

Agency Admin 2A

 

 

 

 

Agency Admin 2B

 

 

 

 

Program Manager 1A

 

 

 

 

Program Manager 1B

 

 

 

 

Program Manager 2A

 

 

 

 

Program Manager 2B

 

 

 

 

Client 1A

 

 

 

 

Client 1B

 

 

 

 

Client 2A

 

 

 

 

Client 2B

 

 

 

 

Client

Client roles must have access to only their submissions.

 

Client 1A

Client 1B

Client 2A

Client 2B

City Admin A

 

 

 

 

City Admin B

 

 

 

 

Agency Admin 1A

 

 

 

 

Agency Admin 1B

 

 

 

 

Agency Admin 2A

 

 

 

 

Agency Admin 2B

 

 

 

 

Program Manager 1A

 

 

 

 

Program Manager 1B

 

 

 

 

Program Manager 2A

 

 

 

 

Program Manager 2B

 

 

 

 

Client 1A

 

 

 

 

Client 1B

 

 

 

 

Client 2A

 

 

 

 

Client 2B

 

 

 

 

Creating Groups and Assigning Roles

Lastly, create groups and determine which roles should be included in each. It's critical that only roles that require access to specific submissions are included in those groups. For this example, the groups are dept-labor-admin, agency-1, agency-2, program-1, and program-2.

The table below displays the complete relationships between roles, accounts, and groups:

Account Name Email Address Role Group(s)

Description

City Admin A

your_email+caa@unqork.com

CityAdmin

  • dept-labor-admin

  • agency-1

  • agency-2

  • program-1

  • program-2

Only City Admins are part of the dept-labor-admin group. As admins, they also need access to submission data in all other groups.

City Admin B

your_email+cab@unqork.com

CityAdmin

  • dept-labor-admin

  • agency-1

  • agency-2

  • program-1

  • program-2

Only City Admins are part of the dept-labor-admin group. As admins, they also need access to submission data in all other groups.

Agency Admin 1A

your_email+aa1a@unqork.com

AgencyAdmin

  • agency-1

  • program-1

An Agency Admin 1 must have access to agency-1 and program-1 submissions, but not those part of the agency-2 or program-2 groups.

Agency Admin 1B

your_email+aa1b@unqork.com

AgencyAdmin

  • agency-1

  • program-1

An Agency Admin 1 must have access to agency-1 and program-1 submissions, but not those part of the agency-2 or program-2 groups.

Agency Admin 2A

your_email+aa2a@unqork.com

AgencyAdmin

  • agency-2

  • program-2

An Agency Admin 2 must have access to agency-2 and program-2 submissions, but not those part of the agency-1 or program-1 groups.

Agency Admin 2B

your_email+aa2b@unqork.com

AgencyAdmin

  • agency-2

  • program-2

An Agency Admin 2 must have access to agency-2 and program-2 submissions, but not those part of the agency-1 or program-1 groups.

Program Manager 1A

your_email+pm1a@unqork.com

ProgramManager

program-1

A Program Manager 1 must have access to program-1 submissions, but not those part of the program-2 group.

Program Manager 1B

your_email+pm1b@unqork.com

ProgramManager

program-1

A Program Manager 1 must have access to program-1 submissions, but not those part of the program-2 group.

Program Manager 2A

your_email+pm1b@unqork.com

ProgramManager

program-2

A Program Manager 2 must have access to program-2 submissions, but not those part of the program-1 group.

Program Manager 2B

your_email+pm2b@unqork.com

ProgramManager

program-2

A Program Manager 2 must have access to program-2 submissions, but not those part of the program-1 group.

Client 1A

your_email+c1a@unqork.com

Client

program-1

A Client 1 must have access to program-1 submissions, but not those part of the program-2 group.

Client 1B

your_email+c1b@unqork.com

Client

program-1

A Client 1 must have access to program-1 submissions, but not those part of the program-2 group.

Client 2A

your_email+c2a@unqork.com

Client

program-2

A Client 2 must have access to program-2 submissions, but not those part of the program-1 group.

Client 2B

your_email+c2b@unqork.com

Client

program-2

A Client 2 must have access to program-2 submissions, but not those part of the program-1 group.

NOTE  You can also include a password column to manage temporary passwords to each account.

Testing your RBAC is critical and should be done before configuration starts on your application. Creating a simple application like the form and dashboard from this example is the best way to check your RBAC configuration. The bulk of the work in testing your RBAC configuration is creating a clear plan of your expectations and then creating sample data to test it all out. This lets you build your application knowing that your roles and groups are configured properly.