3 - Role-based Access Control (RBAC)
Role-based access control in Diri
Diri allows for tailoring accesses based on roles. RBAC is an approach to restricting system access to authorized users. RBAC mechanisms are defined around roles and privileges. RBAC makes it easy to assign permissions based on role and is a simple way to limit access to that necessary to perform user assignments. RBAC can be used to facilitate administration of security in large organizations with hundreds of users and thousands of permissions.
RBAC allows for different roles, such as read only roles
for auditors and management, and will helps to improve both the integrity
and confidentiality of data in Diri. Diri has predefined roles that we recommend to use.
Key points
- The "V" sign at the left of a functionality indicates that there are more options to be managed for this specific setting.
- Be aware that some priviledges require other privileges to function,
such as "Copy" a risk assessment also requires "Create New" privileges
to function.
- Access control settings on objects are accessed via the man and padlock symbol
Accessing the RBAC
The RBAC can be accessed via "Users" in the main menu. Opening the users menu will give access to two tabs, one for administrating users and another for Access control:
The tab for accessing RBAC in the Users menu with the "Add business role" button.
Using the RBAC
The RBAC in Diri uses two important terms:
- Business role - Indicates what type of role the user will have in the application, such as administrator, regular user, or something else. A business role can be assigned to many users.
- Access role - Indicates what type of accesses the business role will have in the application. Accesses are given to specific features in the Diri application. A business role will have several access roles.
You can add a new business role by clicking the "Add business role" button. This action will open a prompt where you can provide a Business role name and add predefined access role premissions using tags:
Creating a new Business role for your organisation allows to you to name and add predefined Access roles to new role.
Settings in the RBAC
Adding new accesses in the RBAC
Clicking the "Create" button will add the new business role to the existing set of roles. The downward-pointing V indicates that there are additional settings that you can view and manage, clicking it for the business role will show the access roles, and clicking the access role will visualize the rights attached to the access role as illustrated:
Accessing the settings for each role and view accesses
Settings in the RBAC
There are four basic accesses that a user can have in the RBAC:
- Read - The user has access to read-only access to all objects of the type in the organisation.
- Update - The user has priviledges to update the object of the type in the organisation.
- Create - The user can create new objects of the type and edit them. A user that creates an object also has all the default rights to it regardsless of role.
- Delete - The user has access to delete all of the objects of the type in the organisation.
Adding new accesses in the RBAC
There are two options for adding access roles to a business role:
- Add existing access role - Opens the Tag-manager with predefined roles that you can choose from
- Create new access role - Opens the create a new access role window.
Clicking the "Create new access role" option will provide the following menu:
The create access role menu
The create new access role has the following features:
- Access role name - You must provide an access role name to your new role
- Optional description of the access role
- Resource selection - This option lists all the basic resources/features available in the Diri application. Choose one of them to be included in the access role.
- Rights management - Having chosen a resource for the access role you must set the rights associated with the resource: Read, Update, Create, Delete, All - as explained above.
- The "Add" button - Adds your new access role to an existing business role.
Adding a business role to a new user
Having created a new business role with corresponding access rights you need to assign this role to a user in an organisation. To do this, you need first to navigate back to the "Users" tab at the top. You can then click on the "+ New User" button:
Navigating back to the Users menu and the button for adding a "New User"
Clicking the "+ New User" button will open up the registration form. In this form you will place the user in the correct organisation and assign him the appropriate business roles:
The New User form with the access roles highlighted.
Registering the user, adding the roles, and clicking save will create the user as illustrated in the following section.
Adding a business role to an existing user
Having created a new business role with corresponding access rights you need to assign this role to a user in an organisation. In the following example, we see the user gaute@diri.no belonging to the Organisation Diri and having the roles "Contributor" and "Owner":
Illustrated user with organisational belonging and roles associated with the organisation.
If you wish to add a role to an existing user you click the edit button for the managed tables and click on the roles. Select the role you want to add to the user from the dropdown list:
Having added the appropriate roles to the user, you can click save and the list will be updated as illustrated below:
Predefined and inherited Roles in Diri
### Roles Overview
1. **Administrator / General Administrator**
2. **Risk Assessment Contributor**
3. **Read and Sign (Decision-maker)**
4. **Risk Assessment Manager**
5. **Auditor**
6. **Subscription Administrator**
### 1. Administrator / General Administrator
- **Privileges**: Full access to all functionalities.
- **Responsibilities**: Overseeing system settings and user permissions.
### 2. Risk Assessment Contributor
- **Privileges**:
- Risk Assessment: IT-system (Create), Problem (Create)
- Treatment: Read
- Tasks: Read, Edit, Create, Delete
- Survey: Read, Create, Answer
- Organisation: Read
- Settings: Read
- **Responsibilities**: Conducting basic operational tasks and assessments.
### 3. Read and Sign (Decision-maker)
- **Privileges**: Read access to Risk Assessment, Treatment plan, Problem; ability to sign off on treatment plans.
- **Responsibilities**: Approving risk treatment plans and accepting residual risks.
### 4. Risk Assessment Manager
- **Privileges**: All privileges of the Risk Assessment Contributor; create and delete assessments.
- **Responsibilities**: Managing risk assessments.
### 5. Auditor
- **Privileges**: Read-only access across the system.
- **Responsibilities**: Conducting audits for compliance and oversight.
Related Articles
3 - Role-based Access Control (RBAC)
Role-based access control in Diri Diri allows for tailoring accesses based on roles. RBAC is an approach to restricting system access to authorized users. RBAC mechanisms are defined around roles and privileges. RBAC makes it easy to assign ...2 - Create your organisation
What is the organisation in Diri? The Organisation is an available option for administrators to build your desired organisational structure in Diri. The organisation determines the hierarchy in Diri for placing users and objects. It, therefore, forms ...7 - Task and Treatment reminders
Follow up of tasks, treatments, and expire dates Diri sends reminders on risk assigned treatments, treatment plans, and risk assessment expiration. The email is sent from noreply@diri.no. The settings are available in "My account," be careful to ...5 - Settings
Diri comes with several tailorable variables that you can adapt to fit your own security policies and guidelines. As illustrated below, the Diri settings are currently dived in three main categories: Many organizations already have pre-defined levels ...6 - Importing and exporting risk assessment registrations with Excel Spreadsheets
Why import and export? Many organisations have already mapped their ICT systems portfolio. This overview is often in a spreadsheet format, and Diri includes a spreadsheet import functionality to avoid doing the work twice. Importing through this ...