Comment on page
👨💼

Role-based Access (RBAC) and Reviewing Access Logs

11/2023

Overview

The Oort identity security platform provides several different roles with different permissions for access your Oort tenant dashboard.
  • Full administrator (admin)
  • Read only
  • Help desk
This article describes the permissions associated with each role and how to configure your IDP or IAM platform to support each role.
The article also discusses how to use the Tenant Access page to review recent administrator or user access to the Oort console.

Roles and Permissions

As the name suggests, full administrator (admin) can take all actions within your Oort tenant, including -
  • adding or deleting integrations
  • changing tenant settings
  • configuring Checks settings
  • excluding users from Checks
  • configuring notification targets like Slack or Teams channels
  • opening tickets with ITSM platforms like ServiceNOW or Jira
  • all actions available within the Remediation Actions article
Read-only Oort dashboard users can view all of the data and users within the Oort console, but cannot make any changes to the configuration of the platform or take any actions related to User objects, such as opening tickets or sending notifications.
Help desk users can view all data and perform a subset of actions within the console. These actions include user-related actions, such as:
  • Opening tickets for investigation or remediation
  • Resetting a users MFA
  • Modifying specific user attributes, such as User Type
  • Logging a user out of active sessions in one or more IDPs
  • Refreshing user events for troubleshooting
Note: the Help Desk role cannot exclude users from checks. Full admin role is required for this.
The full list of Remediation Actions and their associated details is available in this article.
Read-only role
Help desk role
Admin role
Refresh user data
All read-only actions
All actions
Mark as Interesting
Open ticket (to ITSM platform)
Exclude user from check
Mark as normal behavior
Remediation actions
Send notification (to user, manager, or notification channel in Teams, Slack)
Send push notification (Duo, Okta)

Configuring IDP Groups to Support Oort RBAC Roles

Oort uses group membership within your IDP or IAM platform that is used for SSO into the Oort Dashboard, such as Okta or Azure. Specifically, the groups must be returned as part of the OIDC token or the SAML assertion.
Also, because users may have a long list of group membership in your IDP, we require that the group name starts with or contains Oort so that the groups can be filtered when returned by the IDP.
The methods to configure this functionality vary by IDP platform. For more information for each, please see the corresponding article for your SSO platform connected to Oort -

Confirming Group Membership Token Info

To confirm that the desired groups are being passed in the OIDC or SAML token after the groups have been created and populated and the SSO configuration is complete, do the following -
  1. 1.
    Log into the Oort console with a user that is a member of one of the created groups, e.g Oort admin
  2. 2.
    Under the admin user account name, select Profile
  3. 3.
    Confirm that the group is listed under the https://oort.io/rbac_groups attribute section

Mapping Groups to Roles in the Oort Console

After the groups have been created and populated and the SSO configuration is complete, an Oort full admin can create the role -> group mapping in the Oort console.
  1. 1.
    Under the admin user name in the top right corner, click Tenant Settings
  2. 2.
    Click RBAC Groups on the left nav menu and then for each role, pick the associated group. Note - for the Administrator group mapping, the currently logged in admin user must be a member of that group to select it. This is to prevent the admin from picking a group without being a member of it and locking their account out of the Oort console.

Default Dashboard User Role

Within the Oort staging environment which primarily hosts evaluation and test environments, users of the Oort Dashboard are presumed to be full admins be default, unless the groups above are in use and controlling access.
In production Oort environments, the default role assignment can be switched to another role, such as read-only or help desk role. Then Oort users will only be full admins if members of the Oort admin group defined in your IAM solution.

Viewing Recent Dashboard Users and Roles

Within the Oort dashboard, you can view your current role, as well as the users of the platform and their associated roles.
  1. 1.
    Login to your Oort Dashboard
  2. 2.
    Your current role will be displayed under your profile name in the top right corner Note - if an account is a member of multiple groups associated with roles in the Oort console, such as both full admin and read-only admin, then the least privilege group and role with take precedence.
  3. 3.
    Under your profile menu, there will be an option for Tenant Access
  4. 4.
    Click that option to view the Oort dashboard users, their role, and last login timestamp.
  5. 5.
    Note that you can change the time range of the results displayed and also download the currently displayed list to a file using the down arrow.