RBAC and Entity Scoping: A Perfect Match

user deployment insights

Entity scoping is not Role-Based Access Control (RBAC).

Some may disagree with this, but it sets the stage for me to start off with this: RBAC differs from access control lists (ACLs) used in traditional discretionary access-control systems, in that RBAC systems assign permissions to specific operations with meaning in the organization, rather than to low-level data objects.

With this in mind, we are going to talk about entity scoping which is precisely aimed at setting security around low-level data objects. The basic premise here is that RBAC gives you access to a set of functionality, and Entity Scoping is what determines what objects you can perform those actions against. When used together, these two tools provide a powerful yet highly configurable security posture.

Results of Scoping

Entity Scoping is accomplished through the use of entity filters. These can be used to limit what objects an individual or group has access to. An easy example is that you only want Tier I Analysts to be able to see basic workstation machines, so you use entity filters to remove any server-class machines from their views.

entity scoping
Without entity scoping, we can see all objects within Remote Support.

In this example we can see that they have access to server entity types, so we are going to create a new filter, and remove their access to entities with those properties.

Configure entity filters
We can configure entity filters, which define your scopes, from within the admin settings pane.

Once we access the Entity Filters settings, we can create a new entity filter. In this scenario, we will create a filter for the Device entity type.

Create entity fliter
You can define entity filters for all displayed entities.

Now we are going to set a new filter and assign it to Users. This will apply the filter to all users that access Remote Support. Beware though, if you have a scenario where you want some people to see something and others not, entity filters currently stack. If we set this filter on Users then all users will lose access to any device that does not have ‘Server’ in the devices operating system name.

Filter example
In this example, we are going to filter out all servers for basic users.

Now that we’ve configured a filter, when we reload the Devices list, we can only see devices that match our settings.

Reload
Example showing only Windows NT Workstation operating system based devices.

We can do the same thing with all of the available entity types. In the example below, we configure a new entity filter for the User objects, and this one filters them down to showing only users that contain ‘test’ in the UserName.

Entity filter 2
Example of filtering users based on certain username elements.

Once we save the filter and refresh our page we are only able to see User entities that contain ‘test’ in the UserName as in the example below.

results
Example of the results from filtering on username values.

Utilizing these filters will allow you to apply granular access control to entities within Remote Support, and when you apply Role-Based Access Controls on top of the Entity Filters you have a very strong but flexible security configuration.

Experience Teams Ticketing Today

Start your 14-day free trial of Tikit. No credit card required.