Creating Access Control Policies

RealTheory supports both Role-Based Access Control (RBAC) and discretionary access control (DAC).

With DAC, organizations can manually set permissions on one or more clusters, or automatically set permissions at scale through access control policies. Access control policies provide a scalable and flexible mechanism to manage access to resources and data in an enterprise organization.

Prerequisites

To create access control policies, you need the following:

• Groups and Users:

  • Users are individuals within the system who can be authenticated

  • Groups are collections of Users that share common access needs within the system

• Cluster labels: RealTheory labels allow you to associate meaningful and relevant attributes to resources; they can be used to automate and scale discretionary access control through access control policies

  How to Leverage RealTheory Labels to Streamline Scalability and Automation describes how you might plan and design a labeling protocol for scalability and automation.

Procedure

1. As a user with the following roles, navigate to Settings > Access Management > Access Control Policies:

   • sys_admin, or

   • all of: permissions_admin and group_admin and user_admin

2. Click Enable access control policies if the feature is not already enabled.

3. If no access control policies have been previously configured, you will see only the default access control policy.

4. If access control policies have been previously configured, each policy will be listed above the default access control policy in the order that they are processed and applied.

5. If an access control policy that grants the appropriate access to the appropriate cluster(s) does not exist, create the policy:

   1. Click Add access control policy.

   2. Provide a unique name for the policy.

   3. Add a description that will help you remember the purpose and scope of the policy.

   4. Provide the Conditions that will determine which clusters this policy applies to; conditions are specified in terms of cluster or node equality-based and set-based label selectors.
      See How to Use Label Selectors to Identify Resources.

   5. Click Next.

   6. Select who should have access to the cluster(s) identified by the Conditions specified in Step 5.d from the following options:

      • Everyone in my organization

      • Selected groups and/or users

   7. If you selected Everyone in my organization, go to Step 5.i.

   8. If you selected Selected groups and/or users, click Add in the Groups with access and Users with access lists, and then select which groups and/or users should have access.

   9. Click Save.

      The new policy will be added to the list of policies directly above the Default policy. If this is not the appropriate location, you can drag the new policy to the appropriate location in the list.

      Note: The default policy will always be the last policy in the list.

6. Repeat Step 5 until you have all the access control policies you need to enforce the appropriate discretionary access control.

   RealTheory will grant cluster access to the groups and/or users specified in the policy when the policy Conditions (label selectors) match one or more clusters.

Next Step
Configuring the Default Access Control Policy

See Also
How to Leverage RealTheory Labels For Scalability and Automation
How to Use Label Selectors to Identify Resources