Role-Based Access Control (RBAC)
Overview
Scanner implements Role-Based Access Control (RBAC) to manage permissions securely and efficiently. RBAC restricts access to system resources based on predefined roles assigned to entities—referred to as actors—such as Users, API Keys, and, in the future, any other entity capable of interacting with Scanner. This ensures that actors can only perform actions and access data relevant to their responsibilities, enhancing security, simplifying administration, and supporting scalability as your organization grows.
In Scanner, RBAC is designed to be flexible yet robust, allowing administrators to define roles, assign them to actors, and control access to features like running search queries, managing detection rules, and system configuration.
Key Concepts
Roles: A role represents a set of permissions that define what an actor can do within Scanner. Examples might include
admin
,analyst
,user
.Permissions: Specific actions or access rights tied to a role.
Resources: The entities that actors may act upon, like Indexes, Detection Rules, and Synced Github Repositories.
Actors: Entities assigned to one or more roles. Currently, actors include:
Users: Individuals interacting via the UI.
API Keys: Programmatic access tokens used for automation or integrations.
Future Actors: Any additional entities (e.g., service accounts, bots) that may interact with Scanner as the system evolves.
How RBAC Works in Scanner
Role Definition Administrators create roles within Scanner via the Admin Console. Each role is associated with a set of permissions that dictate what actions actors can take. For example:
admin
: Full access to all features, including user management and system settings.user
: Can initiate queries and view results but cannot modify configurations.
Actor Assignment Actors—Users, API Keys, or future entities—are assigned to one or more roles.
Permission Enforcement When an actor interacts with Scanner (e.g., a User logs in or an API Key triggers a query), the RBAC system evaluates their role(s) and associated permissions. Access is granted or denied based on these rules. For instance:
A
user
attempting to query the_audit
index is denied because their role lacks theQuery
permission on the_audit
index.An API Key with the
admin
role can perform any action programmatically.
Default Roles
Scanner provides the following built-in roles to get you started. These can be customized or supplemented with custom roles as needed:
admin
Full control over Scanner
All actions (e.g., manage users, configure system, run search queries)
user
Read-only access
Cannot view data by default, give permission to specific indexes.
Managing RBAC in Scanner
Admin Interface
Administrators can manage roles, permissions, and actor assignments through the Settings > Roles UI.
Creating Roles: Define a new role and assign permissions.
Assigning Members: Link actors like Users and API Keys to roles. For example, an API Key for your SOAR might be assigned the analyst
role for automated querying on specific indexes.
Modifying Permissions: Update what a role can do, like managing the Team, interacting with Indexes, managing API Keys, managing Detection Rules, and integrating Synced Repositories from GitHub.
Auditing user actions
Admins and other users with appropriate permissions can query the _audit
index to monitor and review actions taken by Users, API Keys, or other actors within Scanner. This index logs details such as who performed an action, what action was taken (e.g., starting a query, modifying a detection rule), and when it occurred. By querying the _audit
index—via the Search UI or via the Ad-Hoc Search API—authorized users can track usage patterns, troubleshoot issues, or ensure compliance with organizational policies.
Further documentation:
Last updated
Was this helpful?