👨‍💼Role-based Access (RBAC) and Reviewing Access Logs

11/2023

Overview

The Oort identity security platform provides several different roles with different permissions for access your Oort tenant dashboard.

Full administrator (admin)
Read only
Help desk

This article describes the permissions associated with each role and how to configure your IDP or IAM platform to support each role.

The article also discusses how to use the Tenant Access page to review recent administrator or user access to the Oort console.

Roles and Permissions

As the name suggests, full administrator (admin) can take all actions within your Oort tenant, including -

adding or deleting integrations
changing tenant settings
configuring Checks settings
excluding users from Checks
configuring notification targets like Slack or Teams channels
opening tickets with ITSM platforms like ServiceNOW or Jira
all actions available within the Remediation Actions article

Read-only Oort dashboard users can view all of the data and users within the Oort console, but cannot make any changes to the configuration of the platform or take any actions related to User objects, such as opening tickets or sending notifications.

Help desk users can view all data and perform a subset of actions within the console. These actions include user-related actions, such as:

Opening tickets for investigation or remediation
Resetting a users MFA
Modifying specific user attributes, such as User Type
Logging a user out of active sessions in one or more IDPs
Refreshing user events for troubleshooting

Note: the Help Desk role cannot exclude users from checks. Full admin role is required for this.

The full list of Remediation Actions and their associated details is available in this article.

Read-only role	Help desk role	Admin role
Refresh user data	All read-only actions	All actions
Mark as Interesting	Open ticket (to ITSM platform)	Exclude user from check
Mark as normal behavior	Remediation actions
	Send notification (to user, manager, or notification channel in Teams, Slack)
	Send push notification (Duo, Okta)

Read-only role

Help desk role

Admin role

Refresh user data

All read-only actions

All actions

Mark as Interesting

Open ticket (to ITSM platform)

Exclude user from check

Mark as normal behavior

Remediation actions

Send notification (to user, manager, or notification channel in Teams, Slack)

Send push notification (Duo, Okta)

Configuring IDP Groups to Support Oort RBAC Roles

Oort uses group membership within your IDP or IAM platform that is used for SSO into the Oort Dashboard, such as Okta or Azure. Specifically, the groups must be returned as part of the OIDC token or the SAML assertion.

Also, because users may have a long list of group memberships in your IDP, we require that the token returned by your SSO solution contain less than 40 groups.

We suggest that the group name starts with or contains Oort so that the groups can be filtered when returned by the IDP.

The methods to configure this functionality vary by IDP platform. For more information for each, please see the corresponding article for your SSO platform connected to Oort -

for Okta SSO
for Azure SSO

Confirming Group Membership Token Info

To confirm that the desired groups are being passed in the OIDC or SAML token after the groups have been created and populated and the SSO configuration is complete, do the following -

Log into the Oort console with a user that is a member of one of the created groups, e.g Oort admin
Under the admin user account name, select Profile
Confirm that the group is listed under the https://oort.io/rbac_groups attribute section

Mapping Groups to Roles in the Oort Console

After the groups have been created and populated and the SSO configuration is complete, an Oort full admin can create the role -> group mapping in the Oort console.

Under the admin user name in the top right corner, click Tenant Settings
Click RBAC Groups on the left nav menu and then for each role, pick the associated group. Note - for the Administrator group mapping, the currently logged in admin user must be a member of that group to select it. This is to prevent the admin from picking a group without being a member of it and locking their account out of the Oort console.

Default Dashboard User Role

Within the Oort staging environment which primarily hosts evaluation and test environments, users of the Oort Dashboard are presumed to be full admins be default, unless the groups above are in use and controlling access.

In production Oort environments, the default role assignment can be switched to another role, such as read-only or help desk role. Then Oort users will only be full admins if members of the Oort admin group defined in your IAM solution.

Viewing Recent Dashboard Users and Roles

Within the Oort dashboard, you can view your current role, as well as the users of the platform and their associated roles.

Login to your Oort Dashboard
Your current role will be displayed under your profile name in the top right corner Note - if an account is a member of multiple groups associated with roles in the Oort console, such as both full admin and read-only admin, then the least privilege group and role with take precedence.
Under your profile menu, there will be an option for Tenant Access
Click that option to view the Oort dashboard users, their role, and last login timestamp.
Note that you can change the time range of the results displayed and also download the currently displayed list to a file using the down arrow.

PreviousRemediation Actions NextSaved Filters

Last updated 4 months ago