Role Based Access Control: Decodable Best Practices

For organizations of almost any size, it’s important to implement role based access control (RBAC) to support compliance, privacy, and access management. Decodable’s stream processing platform, powered by Apache Flink, provides the authentication and authorization controls that organizations need. Our permissioning paradigm assigns users access to resources based on their membership in organizational groups and roles. This helps administrators quickly and simply manage granular access to specific resources and capabilities. RBAC becomes increasingly important when building out complex workflows or parallel environments for development, test, and production. For example, by using RBAC, a Decodable administrator can determine which roles (and their associated users) can edit pipelines, while granting other roles view-only access. 

Role based access control helps:

1. Minimize the risk of unauthorized access to important resources
2. Optimize the management of users, improving organizational efficiency
3. Meet compliance requirements
4. Maintain transparency around user access and permissions

Ultimately, Decodable’s RBAC features allow access permissions to be granted in a clear, auditable, easy-to-manage manner by defining specific types of roles. Users are assigned to groups, and groups are assigned one or more roles from which they inherit permissions.  Editing a role’s permissions is a simple way to modify permissions for multiple users simultaneously.  This blog includes a few simple best practices to consider when configuring RBAC in Decodable.

Users, Roles, Groups, Permissions, and Resources

Decodable’s RBAC implementation is based on five core concepts:  users, groups, roles, permissions, and resources. By allowing administrators to define these entities individually, Decodable provides granular access and simplified management of who can use what parts of the platform and in what ways.

• Users represent individuals with credentials who can access Decodable. Every person in your organization, including administrators, developers, and others, who need access to Decodable is a user and will be given unique credentials to access the platform. Because users have different goals within Decodable and need access to different resources, administrators need to configure different levels of access for their community of users. Users can be assigned to one or more groups.
• Groups are made up of users who need similar access to Decodable resources.  Some groups are automatically created in Decodable at time of deployment with users automatically added. Groups can have multiple roles.
• Roles are collections of defined permissions.  Roles can have many different permissions, allowing highly granular access to resources. Roles can be assigned to one or more groups.
• Permissions are associated with roles, with each permission statement assigned to only one associated role.  Permissions provide access to resources and are configured with specific permission patterns to allow read and/or write access to resources in Decodable.
• Resources are parts of the Decodable platform (connections, streams, pipelines) to which administrators grant or restrict access using permissions.

Getting started with Decodable’s role based access control

Setting up roles and permissions in Decodable takes only a few minutes. No matter the size of your team, setting up role based access makes sense, particularly because it’s so easy.

1. From the Decodable web interface, select the Account dropdown in the top-right corner and select Manage Access Control > Roles.
2. Select the role that you'd like to edit permissions for to open the details page for that role, and select Permissions.
3. Add or edit a permission pattern (a short string) that corresponds to the access level that you want this role to have.

To learn more about permission string syntax, please visit the Decodable RBAC documentation. The documentation includes some common permission patterns to consider when setting up roles for your organization.

What roles should I define in Decodable?

Often organizations have unique roles they’ll want to build within any RBAC system. This may include roles based on a user’s job function, level of seniority, security posture, or other specific characteristics. When building roles, remember that roles in Decodable are assigned to groups which can be used to designate teams within the organization or collections of users that span multiple roles.

For example, organizations using Decodable often configure roles such as:

• Application developer – granted access to use developer-specific sources and sinks, but is unable to modify the properties of the connections themselves.
• Data engineer – given access to specific sources and sinks and permission to directly modify pipeline configurations.
• DevTest – allowed read-only access across the bulk of Decodable to observe and test connectivity, data quality, etc.

Two roles are created by default:  admin role and new-user role.  These are assigned automatically to the corresponding admins and new-users groups (see below).

Use groups to simplify permission management

A group is a collection of users organized together for administrative or security purposes. A group has assigned roles that define the permissions provided to the members of that group. Because roles are assigned to groups, they allow you to easily manage permissions for multiple users and teams. The Decodable documentation has an example of using groups that provides additional detail.

Every Decodable account automatically includes an admins group and a new-users group. When you invite a new user to the Decodable account, that user is automatically added to the new-users group. These groups are designed to help simplify the first steps of adding in new admins or users and come with predefined roles. The admin role (assigned to the admins group) cannot be changed, but the new-user role (assigned to the new-users group) can be.

What permissions can I assign?

Users (via membership in one or more groups) can be assigned permissions to resources that include:  connections, streams, and pipelines.  Permissions can also be granted for user, group, or role management.

Only assign permissions when necessary

When defining roles and providing access to resources, it is a best practice to follow the “principle of least privilege”, granting permissions that are as tightly constrained as possible. It is often easier to provide additional permissions where missing than it is to remove permissions at a later date.  Err on the side of caution, but test your assumptions and use Decodable’s role and permission definitions to modify your configuration when warranted.

A best practice is to name the resources belonging to each team with a unique common prefix.  For example, if the names of all resources used by the finance team begin with “finance-”, a permission pattern (string) “*:*:*.finance-*” would match them and provide full access to them all. Please review the Decodable documentation for more details on permission patterns and their syntax.

Monitor and adjust at regular intervals

An individual’s role in an organization can change – due to promotion, change in department, or other factors. To maintain compliance and reduce risk, administrators should review users, groups, and the roles/permissions to which they are assigned. A best practice is to schedule regular reviews of both individual users and the permissions associated with roles to help keep them accurate and up-to-date.  In Decodable it’s easy to update users and roles, so reviews can be quick and relatively painless.

Learn from Decodable experts

Because the team at Decodable is supporting many customers, we often have insights into what permissions and configurations make the most sense for specific users or use cases. Reach out to your Decodable contact if you have any questions you’d like answered about RBAC and best practices.  We’d be happy to help!  Sometimes the best way to learn is by using a product, so you can also get started on your own with a free trial of Decodable.

If you’re not currently using Decodable and would like to know more, we’d like to hear from you. Just schedule a personalized demo and our team can walk you through all the Decodable features that help you keep data safe and achieve compliance – all while getting fast, simple, reliable access to your real-time data assets.

‍