Role Engineering Examples

Last modified 14 Jul 2022 15:17 +02:00
This page is a stub, it is a work in progress.

1. Application Role Examples

Following chapter contains examples of application roles requirements.

1.1. Case: Application ABC - Standard User

Role name: ABC:User

Standard user accessing the application ABC. Application ABC verifies user access via membership in AD groups.

Access requirements
  • Account in AD and membership in AD group abc-users.(DN: cn=abc-users,cn=app-groups, dc=organisation, dc=com). Access is assigned automatically.

Solution

Definition of the role ABC:User

User interface must somehow explain Application engineer that attribute values of User object and value of the entitlement is defined in definition of the resource.

1.2. Case: Application ABC - Power User

Role name: ABC:PowerUser

User with higher privileges in application ABC. Application ABC verifies user access via membership in AD groups.

Access requirements
  • Account in AD and membership in AD group abc-power-users.(DN: cn=abc-power-users,cn=app-groups, dc=organisation, dc=com). Access is assigned automatically.

  • Access to shared directory on one application server (hostname: apphost3) for processing the reports. This access is assigned manually by operations team IT:APP:OPERATORS

Solution

Definition of the role ABC:PowerUser

1.3. Case: Application ABC - Administrator

Role name: ABC:Administrator

Application administrator of application ABC. Application ABC verifies user access via membership in AD groups. Administrator also needs administrator access to application host + access to the application database.

Access requirements
  • Account in AD, setting the value of attribute employeeType to "IT Administrator" and membership in AD group abc-admins.(DN: cn=abc-admins,cn=app-groups, dc=organisation, dc=com). Access is assigned automatically.

  • Administrator access to the hosts (hostnames: apphost1, apphost2, apphost3). This access is assigned manually by operations team IT:APP:OPERATORS

  • Access to database - using LDAP group app-abc-admins in LDAP server.

Solution

Definition of the role ABC:Administrator

1.4. Case: Application DEF - End User. Zero Trust Design Example.

Role name: DEF:EndUser

Standard user in application DEF. The application is implemented in environment verifying identities also on network access - application is behind Next Generation Firewall (NGFW). Access to the application DEF object by the user must be allowed in the NGFW.

Access Requirements
  • Account in LDAP and membership in LDAP group def-user. Access is assigned automatically.

  • Account in NGFW and adding the application DEF in user’s access profile (the profile attribute) in NGFW. Access is assigned automatically.

Solution

Definition of the role DEF:EndUser

1.5. Case: Application XYZ - Administrator. Administrator needs VPN for backend access.

Role name: XYZ:Administrator

Administrator of application XYZ. The administrator needs RDP access to Windows host hostXYZ. Additionally, he needs VPN and having admins profile for the RDP access.

Access Requirements
  • Account in LDAP and membership in LDAP group xyz-admins. Access is assigned automatically.

  • RDP access to Windows host hostXYZ. This access is assigned manually by operations team IT:APP:OPERATORS

  • Account in VPN, local configuration of admins profile. This access is assigned manually by operations team IT:NET:OPERATORS

Solution

Definition of the role XYZ:Administrator.