Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) is a security method that restricts resources access to authorized users based on their assigned roles. In SUSE Multi-Linux Manager, RBAC ensures that users can only perform actions and access resources for which they have explicit authorization, enhancing security and simplifying administration.

The core principles of RBAC include:

  • Principle of Least Privilege: Granting only the necessary access rights for users to perform their tasks.

  • 세분화된 제어: 구체적인 기능을 세밀하게 제어할 수 있습니다.

  • Separation of Duties: Preventing a single user from having too much control over critical processes.

  • Auditability: Allowing for clear tracking of user actions and permissions.

1. Key RBAC Concepts

Understanding the following core concepts is crucial for effective RBAC management:

  • Role: A collection of permissions defining a specific set of capabilities within SUSE Multi-Linux Manager. Roles are assigned to users, granting the user aggregated permissions.

    역할은 사용자에게 할당되어 사용자에게 통합 권한을 부여합니다.

  • Permission: An atomic authorization to perform a specific action, access a specific web page or call a specific API endpoint within SUSE Multi-Linux Manager. In SUSE Multi-Linux Manager, permissions are represented by namespaces and their access modes.

  • User: An individual account that interacts with SUSE Multi-Linux Manager. Users are assigned one or more roles.

  • Namespace: A granular unit of access control organized in a tree-like structure. Most namespaces have distinct "View" or "Modify" modes.

2. User Roles in SUSE Multi-Linux Manager

SUSE Multi-Linux Manager provides predefined roles and allows for the definition of additional custom roles, optionally inheriting from a combination of other roles.

2.1. Predefined Roles

Refer to administration:users.adoc#administrator-roles for a complete list of predefined roles and their descriptions.

2.2. Defining Additional Roles

To define additional roles, you can:

  • Select a number of existing roles to inherit permissions from.

  • Specify additional namespaces to grant access to.

3. Namespaces for Fine-Grained Access

Namespaces provide fine-grained access control, organized in a tree-like structure. For most namespaces, access within a namespace is further granularized by "View" and "Modify" modes.

Table 1. Example: Image Management namespaces and access modes
Namespace Access Mode Description

cm.build

Modify

Build container or Kiwi images

cm.image.import

Modify

Import container images from a registered image store

cm.image.list

View

List all images

cm.image.list

Modify

Delete images

cm.image.overview

View

View image details, patches, packages, build log and cluster information

cm.image.overview

Modify

Inspect, rebuild, delete images

cm.profile.details

View

View details of an image profile

cm.profile.details

Modify

Create image profiles, edit profile details

cm.profile.list

View

List all image profiles

cm.profile.list

Modify

Delete image profiles

cm.store.details

View

View details of an image store

cm.store.details

Modify

Create image stores, edit store details

cm.store.list

View

List all image stores

cm.store.list

Modify

Delete image stores

A comprehensive list of namespaces and their descriptions can be retrieved by making a call to the access.listNamespaces API method. Refer to SUSE Multi-Linux Manager API documentation for detailed information, including request and response formats.

4. Managing RBAC

Managing RBAC roles and permissions is currently only possible through the API. To assign roles to users via the web UI, refer to 사용자.

4.1. Managing RBAC via API

The SUSE Multi-Linux Manager API provides methods for programmaticaly managing roles, permissions and user assignments.

4.1.1. The access API

이러한 API 메서드는 역할 및 관련 액세스를 관리합니다.

  • listNamespaces: SUSE Multi-Linux Manager에서 사용할 수 있는 네임스페이스, 액세스 모드 및 관련 설명을 나열합니다.

  • listPermissions: 역할에 대해 허용되는 네임스페이스를 나열합니다.

  • listRoles: SUSE Multi-Linux Manager의 기존 역할을 나열합니다.

  • createRole: 새 역할을 생성하며, 선택 사항으로 기존 역할에서 권한을 복사합니다.

  • deleteRole: Deletes a role.

  • grantAccess: Grants access to namespaces.

  • revokeAccess: 네임스페이스에 대한 액세스를 취소합니다.

4.1.2. The user API

These API methods manage user-role assignments:

  • listPermissions: 사용자에 대해 유효한 권한을 나열합니다.

  • listRoles: Lists a user’s assigned roles.

  • addRole: Assigns a role to a user.

  • removeRole: Removes a role from a user.

요청 형식 및 응답 형식을 포함한 자세한 API 문서는 SUSE Multi-Linux Manager API 참조를 참조하십시오.

5. RBAC Best Practices

Adhering to these best practices will help maintain a secure, efficient, and manageable RBAC environment:

  • Principle of least privilege: Always grant users the minimum permissions necessary to perform their duties. Avoid overly broad permissions.

  • Regular review: Periodically review assigned roles and permissions for users to ensure they are still appropriate and comply with current security policies.

  • Document roles: Clearly document the purpose and permissions of each custom role you create.

  • Separate duties: Implement roles that enforce separation of duties to prevent a single user from having too much control over critical processes.