Introduction

Policy-Based Access Control (PBAC) is a mechanism for managing user access to individual or multiple systems, where the permissions granted are contingent upon the user’s business responsibilities aligned with predefined policies or custom policies. In contrast to the conventional method of auditing and modifying roles organization-wide, PBAC provides the agility to swiftly adjust access privileges in response to evolving requirements. This ensures that assets remain safeguarded through the enforcement of established rules and policies. PBAC stands out as a versatile authorization solution, capable of accommodating various access points by automating security controls within applications and data.

IAM (Identity and Access Management)

IAM Model Overview:

IAM, which stands for Identity and Access Management, encompasses a structured system for managing user identities and their access privileges within an account. The IAM model comprises various user roles and their corresponding permissions.

Key Concepts:

  1. IAM Entry: Each IAM entry contains mappings with a primary customer and their associated secondary users. Instead of referencing a contact person table, information regarding secondary users is stored within the IAM table.

  2. IAM User Types:

    • Owner: Represents the primary account holder.

    • Primary: Users with existing sign-ups on the platform who can access other accounts using the Primary IAM feature, also known as Multi-CRN view.

    Multi CRN

    A Multi-CRN perspective offers users the ability to toggle between multiple CRNs (Customer Reference Numbers). This occurs when a customer (Customer A) who is already registered grants access to some of their projects to another customer (Customer B) who is also registered. As a result, Customer B can access Customer A’s projects by switching between their respective CRNs.

    ../../_images/multi_crn.png
    • Contact: Users without existing sign-ups on the platform.

Roles and Permissions

Roles

Resource Management

IAM (User Management)

Billing Operations (Pay Now, Auto Pay and Account Statement)

Payment Reminders/Invoice Handling

Admin

Project Lead

✓(except Admin)

×

×

Billing

×

×

Member

Policy base Access

×

Policy base Access

×

Billing+Member

Policy base Access

×

  • Admin: Holds full access rights, including the management of resources and projects, access to the billing dashboard, the handling of invoices, and the ability to add or remove other IAM users. Administrators are essentially co-owners of the account.

  • Project Lead: Has access to resource allocation and project management, with the authority to add or remove other IAM users (excluding Admins). The Project Lead does not have access to billing.

  • Billing User: Authorized to manage billing functions such as Pay Now, Auto Pay, and Account Statements, including viewing and paying outstanding balances, accessing invoices, and configuring auto-pay settings.

  • Member: Users with limited access to the account, with the ability to select services and adhere to established policies that restrict their view within services. Unauthorized attempts to access restricted services or perform restricted actions will redirect them to an unauthorized page.

  • Billing+Member: Users with restricted service access but unrestricted access to the billing dashboard. They can perform any action within the billing dashboard without restrictions.

The IAM model provides a structured approach to manage user identities, access privileges, and permissions within an account, ensuring effective security and access control.

Note

To use IAM, you have to follow these steps:
  • You have to add a IAM user

  • You have to create a project

  • You have to create custom policies or you can use predefined policies.

  • Assign the project and policies to the user.

Add User

To add users then follow these steps:

Navigate to the IAM section on the Dashboard

../../_images/pbac1.png

By default, the details of Owner is displayed in the list. To add a new user to the project, simply click on the ‘Add User’ option.

../../_images/pbac2.png

After selecting “Add User,” a new page labeled “Add New User” will open. On this page, you need to enter the user’s email and choose a role from the dropdown menu. The available roles include Member, Billing, Project Manager, Admin, and Billing+ Member.

../../_images/pbac3.png

If you choose the role of Admin, Project Manager, or Billing, predefined policies will be applied to the user based on their role.

../../_images/Admin.png

After selecting all the parameters then click on Add User

../../_images/member1.png

Note

In the absence of an available policy in the project, you must initially add a custom policy to the project.

If you choose the role of “Member,” all available projects will be displayed below. After selecting a specific project, you can then assign one or more policies to that user

../../_images/members2.png ../../_images/pbac6.png

Upon selecting “Add User,” the user will appear in the IAM page under the “All Users” section with the status set as ‘Invited.’ Subsequently, an invitation link will be sent to the user’s email address. Upon clicking the link, a registration form will be presented for completion.

../../_images/pbac7.png ../../_images/pbac8.png

Upon completing all the required details in the registration form, the user will be successfully registered. Following registration, the customer must log in using their provided credentials.

Note

If the customer is an existing user on the E2E platform, they will find the invitation in the Invitation section on the Dashboard.

../../_images/existing_customer1.png

Upon selecting the Invitation button, the Invitation page will be displayed.

../../_images/existing_customer2.png

On the Manage Invitations page, you can view the invitations received and take actions such as accepting or declining them based on your preference. Upon accepting the invitation, the user will appear in the All User list with their assigned role.

Actions

Reset Password:

Click on the “Reset Password” action to reset a member’s password.

../../_images/pbac9.png

Edit Roles and Policies:

To modify the roles and policies of a member, click on the Edit action.

../../_images/pbac10.png ../../_images/pbac11.png

Once you have made the necessary changes, click on the “Update User” button to save the modifications.

../../_images/pbac12.png ../../_images/pbac13.png

Delete User:

To remove a user, click on the Delete action.

../../_images/pbac14.png

Upon selecting the delete action button, a confirmation pop-up will appear on the page. Click on the delete button within the pop-up to confirm the deletion, and the user will be removed from the user list.

Manage Project

Project Management

To manage projects, navigate to the IAM page and click on the Manage Project tab.

../../_images/pbac15.png

By default, a Default Project will be displayed in the list. To create a new project, provide a name for the project and click on the Create button. Once a project is created, it will be visible in the Recent tab.

../../_images/pbac16.png

To switch from one project to another, select the desired project by clicking on the radio button. A pop-up will appear, prompting you to click on “Switch Project.” Upon doing so, the switch will be completed, and you’ll be in the selected project.

../../_images/pbac17.png

To designate a project as a starred project, click on the star button located in the Starred section.

../../_images/pbac18.png

To view all projects, click on the “All” section, where you can see a comprehensive list of all projects associated with that user.

../../_images/pbac19.png

Member Management

Add Member:

To modify a project and add members, click on the edit button associated with that project.

../../_images/pbac20.png

Upon clicking the edit button, you will find the option to add members to the project. Click on it to proceed.

../../_images/pbac21.png

Following the selection of “Add Member,” the Add Member page will open. After entering all the necessary information, such as the new member’s details and policies, click on “Save Changes” to confirm.

../../_images/pbac22.png

Modify User’s Policy:

../../_images/pbac23.png

To modify a user’s policy, click on the edit button and then select the appropriate option on the right button.

Remove Member:

../../_images/pbac24.png

To remove a member from the project, click on the delete button. A popup will appear, and upon confirmation by clicking the Delete button within the popup, the member will be successfully deleted from the project.

Policy Set

To access established policies, go to the IAM page and select the Policy Set section. If you wish to create a new policy, click on the “Add Policy” button.

../../_images/pbac25.png ../../_images/pbac26.png

After clicking on Add Policy then Add New Policy page will be appear on that page you have to give policy set name and description and select the services which are to be giving access to in this policy then click on the Save button.

../../_images/pbac27.png

Upon saving the policy, it will be displayed in the Policy Set section on the IAM page.

../../_images/pbac28.png

To execute actions on a policy set, click on the three dots, and a menu of actions will appear. To view the policy services, select the “View” action.

../../_images/pbac29.png

Upon selecting the “View” action, the Services page will open, allowing you to see all the services associated with that policy.

../../_images/pbac30.png

To modify the policy set, click on the “Edit” action.

../../_images/pbac31.png

Upon choosing the “Edit” action, the Edit Policy Set Details page will open. On this page, you can add or remove services from the policy set by ticking or unticking the respective options. After making the desired changes, click on the Save button.

../../_images/pbac32.png

To remove a policy set, click on the “Delete” action.

../../_images/pbac33.png

Upon selecting the “Delete” action, a pop-up will appear. Click on “Delete” within the pop-up, and the policy set will be removed from the policy set list.