Role-Based Access Control (RBAC)

Overview

Scanner implements Role-Based Access Control (RBAC) to manage permissions securely and efficiently. RBAC restricts access to system resources based on predefined roles assigned to entities—referred to as actors—such as Users, API Keys, and, in the future, any other entity capable of interacting with Scanner. This ensures that actors can only perform actions and access data relevant to their responsibilities, enhancing security, simplifying administration, and supporting scalability as your organization grows.

In Scanner, RBAC is designed to be flexible yet robust, allowing administrators to define roles, assign them to actors, and control access to features like running search queries, managing detection rules, and system configuration.

Key Concepts

• Roles: A role represents a set of permissions that define what an actor can do within Scanner. Examples might include admin, analyst, user.

• Permissions: Specific actions or access rights tied to a role.

• Resources: The entities that actors may act upon, like Indexes, Detection Rules, and Synced Github Repositories.

• Actors: Entities assigned to one or more roles. Currently, actors include:

  • Users: Individuals interacting via the UI.

  • API Keys: Programmatic access tokens used for automation or integrations.

  • Future Actors: Any additional entities (e.g., service accounts, bots) that may interact with Scanner as the system evolves.

How RBAC Works in Scanner

1. Role Definition Administrators create roles within Scanner via the Admin Console. Each role is associated with a set of permissions that dictate what actions actors can take. For example:

   • admin: Full access to all features, including user management and system settings.

   • user: Can initiate queries and view results but cannot modify configurations.

2. Actor Assignment Actors—Users, API Keys, or future entities—are assigned to one or more roles.

3. Permission Enforcement When an actor interacts with Scanner (e.g., a User logs in or an API Key triggers a query), the RBAC system evaluates their role(s) and associated permissions. Access is granted or denied based on these rules. For instance:

   • A user attempting to query the _audit index is denied because their role lacks the Query permission on the _audit index.

   • An API Key with the admin role can perform any action programmatically.

Default Roles

Scanner provides the following built-in roles to get you started. These can be customized or supplemented with custom roles as needed:

Managing RBAC in Scanner

Admin Interface

Administrators can manage roles, permissions, and actor assignments through the Settings > Roles UI.

Creating Roles: Define a new role and assign permissions.

Assigning Members: Link actors like Users and API Keys to roles. For example, an API Key for your SOAR might be assigned the analyst role for automated querying on specific indexes.

Modifying Permissions: Update what a role can do, like managing the Team, interacting with Indexes, managing API Keys, managing Detection Rules, and integrating Synced Repositories from GitHub.

Auditing user actions

Admins and other users with appropriate permissions can query the _audit index to monitor and review actions taken by Users, API Keys, or other actors within Scanner. This index logs details such as who performed an action, what action was taken (e.g., starting a query, modifying a detection rule), and when it occurred. By querying the _audit index—via the Search UI or via the Ad-Hoc Search API—authorized users can track usage patterns, troubleshoot issues, or ensure compliance with organizational policies.

Further documentation: