Role-Based Access Control (RBAC)¶
Note
For more information about managing users, see User Management.
RBAC Overview¶
Role-based access control (RBAC) allows administrators to restrict read and write access to key parts of Fugue. This includes:
Configuring and managing environments
Accessing compliance, drift, or enforcement data
Managing users and notifications
Viewing environments
RBAC promotes the principle of least privilege. It’s a security best practice to only give admin access to users who need it, and to limit other users from having unnecessary access to environments and actions.
You can manage RBAC from the Groups page:
For more details, see The Groups Page.
Groups, Policies, Users¶
Three key concepts in RBAC are groups, policies, and users.
A group represents a set of environments that users can access. Each group is associated with a single policy, which defines the actions that users can take in Fugue. Each user belongs to a single group and inherits the policy of that group.
You can view RBAC groups on the Groups page and users on the Users page.
By default, each organization starts with one group and one user – the Admin group and account owner. The user who created the organization is the account owner.
Users in the Admin group can create other groups, invite users, and assign/reassign users to groups on an individual basis.
Currently, Fugue supports two types of policies: Admin and Read Only. The Admin group has the Admin policy, which cannot be changed. For now, all other groups are given the Read Only policy. To learn more about each policy, see Admin vs. Read Only Permissions.
Admin Policy and Group¶
An Admin policy grants a user all access to all environments. It’s associated with the Admin group, the default group in Fugue. No other group can use the Admin policy.
Administrators can create groups and grant permissions to that group determine the actions, pages, and environments that users can view, access, or edit within Fugue.
The Admin policy cannot be modified, but users in the Admin group can be moved to another group – except the account owner, who cannot be reassigned. To change the account owner, contact support@fugue.co.
Currently, all users are assigned the Admin policy by default.
See Admin vs. Read Only Permissions for a detailed list of Admin permissions.
Read Only Policy and Groups¶
A Read Only policy grants a user read-only access to a group’s environments. Users cannot view environments their group doesn’t grant access to, and they can’t perform write actions on any environment.
For example, Alice Admin creates a group called Staging. The group is associated with the Read Only policy and enables access to two environments, Web Us-east-1 and Web Us-west-2. Alice assigns the user Bob to Staging, which allows Bob to view only those two environments. Bob cannot edit environment settings, enable/disable enforcement, manage users, and so on; he can only view the environments.
See Admin vs. Read Only Permissions for a detailed list of Read Only permissions.
Note
Users are assigned to the Admin group by default and therefore have an Admin policy. Any user can be moved to a different group and therefore given a Read Only policy, except for the account owner. To change the account owner, contact support@fugue.co.
Admin vs. Read Only Permissions¶
Feature |
Read |
Admin |
|---|---|---|
View accessible environments on Environments Page |
X |
X |
View compliance data |
X |
X |
View drift and enforcement events |
X |
X |
View environment configuration settings |
X |
X |
View baseline |
X |
X |
View visualization |
X |
X |
Change environment settings |
X |
|
Enable/disable baselines or enforcement |
X |
|
Run scans or change scan interval (API only) |
X |
|
Create or delete environments |
X |
|
Configure notifications and custom rules |
X |
|
Create/update/delete users with respective groups |
X |
Getting Started with RBAC¶
The admin should create one or more groups with the Read Only policy to limit what actions users can take and what environment(s) they can view within Fugue.
Here are the basics of RBAC with Fugue:
Create a group to enable access to one or more environments.
Assign existing users or new users to a group.
Optionally, edit a group by changing the environments associated with it.
Delete a group if needed.
Note
The Fugue API does not currently support RBAC or user management.
The Groups Page¶
The Groups page lists the name, policy, and environment(s) associated with each group:
You can hover over the i symbol next to the number of environments in a group to see the environment names:
You can also select the ellipsis ... to edit a group.
How to Create a Group¶
There are two steps to creating a group:
Step 1: Definition¶
Navigate to Organization > Groups.
Click the Create New Group button.
Enter a name for your group.
In the Policy drop-down, Read Only is selected. Read Only is currently the only supported policy option.
Step 2: Environments¶
Select the environments in which this group can access.
Click Create Group.
Note
If you create new environments, you will need to update this group to include those environments if you want this group to access them.
Additionally, if you do not create any groups, all users will belong to the Admin group and they will have global access to everything within Fugue.
How to Assign Existing Users to a Group¶
Navigate to Organization > Users.
2. In the user row, select the ellipsis icon ... and choose Edit User.
3. From the Group drop-down, select the group in which you want the user to belong.
4. Click Update User.
How to Invite and Assign New Users to a Group¶
Navigate to Organization > Users.
Click the Invite New User button.
From the Group drop-down, select the group in which you want the user to belong.
4. Click Send Invitation Email.
See User Management for more information on inviting and managing users.
How to Edit Existing Groups¶
Navigate to Organization > Groups.
In the group row, select the ellipsis icon
...and choose Edit Group.
3. Select the environments in which this group can access.
4. Click Update Group.
Note
If you create new environments, you will need to update this group to include those environments if you want this group to access them.
How to Delete Groups¶
Navigate to Organization > Groups.
In the group row, select the ellipsis icon
...and choose Delete Group.
3. Select Delete Group.
Note
A group cannot be deleted if one or more users belong to it. You must first move each user to a different group. Otherwise, you’ll see an “Unable to Delete Group” error:
Unable to Delete Group
Please reassign {user name} to a different group to delete this group. Go to Users
More About User Management¶
For more information about managing users, see User Management.