IAM Enhancements
Last updated November 23, 2022 by [email protected]
This product note aims to capture and describe various desired enhancements to Orb's Identity and Access Management (IAM) features.
As an organization using Orb, I want my Orb users to work with the same Orb components (agents, agent groups, policies, sinks) using unique identities and credentials, so that my staff can collaborate effectively and so that I can comply with my corporate security guidelines, manage individual user permissions and audit who is making changes in the system.
- Currently, each Orb account has a single unique login access (username/email and password). For organizations where multiple users need to manage common Orb components (agents, agent groups, policies, sinks) this effectively forces them to share login credentials, which is often in violation of serurity rules.
- Using a single identity for managing components in an Orb account prevents adherence to the principle of least privilege, since permissions cannot be managed on an individual user basis.
- This could be implemented in many different ways:
- by providing Orb users with access to Orb components in another Orb user's account
- by linking multiple Orb user accounts as belonging to a common group (organization/tenant), and providing access to all components across all user accounts
- by allowing the creation of additional user logins within an Orb user account
- The preferred approach is to elevate the current Orb account to essentially become a tenant, where multiple users can be defined. This is a common and intuitive model and avoids the potential entanglements of users having access to multiple other user components.
As an Orb account administrator, I want to be able to manage what actions users can take on Orb components in my account, so that I can provide only as much access as necessary to each user (principle of least privilege) and reduce my security risks.
- Coarse grained role based permissions (RBAC) are probably sufficient today, though the case might come for attribute based permissions (ABAC) to control access to specific component instances in the future.
- A minimal implementation could be limited to providing the following roles:
- Read-Only User: can only Read Orb components
- Operator: can CRUD any/all Orb component (except users)
- Administrator: can CRUD Orb users and tenant attributes
- A more extensive implementation could provide roles based on Orb component types and REST API verbs:
- agents, agent groups, policies, datasets and sinks (users?)
- GET, POST, PUT, DELETE
- RBAC user permissions should extend and apply to API credentials as well.
As a user building API automations, I want to be able to use (and manage) credentials when using the Orb API that are distinct from my login credentials, so that I can provide only as much access as necessary to automations and be able to identify who (or what) made any changes.
- This already exists today in the form of
PERMANENT_TOKENs, though with limited management capabilities:- API credentials should be a unique identity, distinct for the Orb account user
- API credentials should be revocable
- API credentials should have associated permissions
As an Orb user, I want to be able to access Orb without being prompted for my credentials, so that I can use an existing third-party identity and access Orb seamlessly.
- Though applicable to both Orb and Orb.live, this feature is currently of interest mainly for Orb.live to enable streamlined authentication with the NetBox Cloud platform.
