Features

Introducing Role-Based Access Control on ObjectRocket

By September 25, 2019 No Comments

Sharing logins is lame. It’s a necessary evil, though; there are some scenarios where you just have to. When it comes to aaS offerings, it can be a real challenge as teams get larger and you don’t want to give everyone full control. The clear solution is Role-Based Access Control (RBAC) and today we’re enabling RBAC features on our brand new hosting platform.

What is Role-Based Access Control

There are lots of definitions out there for RBAC, but NIST offers a pretty succinct definition:

A model for controlling access to resources where permitted actions on resources are identified with roles rather than with individual subject identities.

Pretty simple. Your access to a piece of information or action is based on an assigned role.

Let’s look at how this applies to something like Database as a Service. There are a number of obvious things you’d want to do, like:

  • Create a database
  • Delete a database
  • Control access to a database

There are also some other actions to think about:

  • Viewing and updating payment information
  • Viewing metrics
  • Inviting other users to the account

Without RBAC, everyone has access to everything. If you can log in, you can do all the things. For example, you may want someone from accounting to be able to view billing and payment information. However, you definitely don’t want to give that person the ability to mistakenly delete a database. That’s where RBAC comes in; you would create a role like “Billing” which only grants users with that assigned role the ability to view billing information and nothing else.

How this Works on ObjectRocket

Back when you first signed up for our service (if you haven’t yet, go check it out at https://app.objectrocket.cloud), the first thing you did was create an organization. An organization is just our way of grouping all of your users together. By creating an account and an organization, you just became an “owner”. Congratulations!

Now, with our launch of RBAC controls in our dashboard’s UI, you can invite other people to your organization and give them different roles. For now, those roles and privileges are:

Role
Manage UI Users
Create / Update / Delete
Instances
List and view
Instances
Manage ACL and DB users
View ACL and DB Users
View Metrics
Manage Billing
Owner
Admin
Read Only
Metrics
Billing

This gives you the ability to specify an owner (you can also have multiple owners) that do everything, then limit access to the other members of your team. You can have a select few that manage the databases themselves, but just give read-only access to the developers that just need to connect to the database from their application. You can give just metrics access to an analyst who only needs to see stats on your databases. Finally, you can limit access of the people keeping the books to only the billing information.

This is just a starting point and we’ll be adding greater customization down the road.

Getting Started

If you’ve already signed up, or going create a new account now, you are automatically the owner of your organization. From there, adding new users is as simple as:

  1. Click Users on the main menu in Mission Control.
  2. Click Invite New User
  3. Enter an email address and role
  4. That’s it!

From there, your invited user gets an invitation email. Once they click that link in the email and sign up, they’ll show up in your users list.

There are a few rules where we need to get Support involved, like trying to invite a user who is already part of another organization. However, our Support team is always there to help you resolve any.

We hope you’re as excited about this feature as we are, so go check it out now!

Steve Croce

Steve Croce

Steve Croce is currently a Senior Product Manager and Head of User Experience at ObjectRocket. Today, Steve leads the UX/UI team through rebuilding out the platform’s user interface, scopes the company’s product and feature roadmap, and oversees the day to day development for ObjectRocket's Elasticsearch and PostgreSQL offerings. A product manager by day, he still likes to embrace his engineer roots by night and develop with Elasticsearch, SQL, Kubernetes, and web application stacks. He's spoken at KubeCon + CloudNativeCon, OpenStack summit, Percona Live, and various ObjectRocket events.