๐ฎRole Based Access Control (RBAC)
Summary
Arnica's Role Based Access Control (RBAC) allows each user to be assigned a designated role within the Arnica solution. When authenticated, the user will be provided access to certain pages and functionality based on their role. These roles can be defined within Arnica or through SSO.
Arnica managed and SSO managed RBAC
Arnica's RBAC has two primary configurations: Arnica Managed and SSO Managed roles. Arnica admins can switch between these two configurations within the Users and Roles page.
When switching between "Arnica" and "SSO" management configurations, you must save the configuration before the change will take effect.
Arnica Managed RBAC
When RBAC management is set to "Arnica", all roles must be managed directly within the Arnica solution. A users role can be updated by clicking the "Edit" icon in table beside the "Delete" icon. When a user's role is changed in the Arnica Users and Roles table, the changes take immediate effect.
SSO Managed RBAC
Arnica offers the ability to set roles through the use of SSO groups. When SSO management is set to "SSO", a new configuration window will appear that allows you to define your SSO user groups and map each group to the appropriate Arnica role. Once configured, the role of each user is assessed each time they interact with the Arnica solution. If a user is removed from an SSO group, their permissions will change the next time they load a page within Arnica.
Configuring SSO Roles in Arnica
The SSO Groups Roles Map includes a table with 3 required variables: Name, Regex, and Role.
Name - Used to assign a name to each group's mapping policy.
Regex - A regex is used to define which role passed by your SSO provider should apply to this policy.
Role - The role that the user should be assigned when they are a member the group defined in the
Users can inherit multiple roles. If a user is a member of more than one group configured they will be given multiple Arnica roles, visible as icons in the user table.
Arnica Roles Definitions
Owner - Has access to all pages, reports, and functionality within Arnica
Admin - Has access to all pages, reports in Arnica. Has access to all functionality with few exceptions. Admins cannot edit or delete the tenant. Admins cannot invite new users or change the roles of other users.
Security Reviewer - Has edit access to all risk pages and Inventory pages, but not Admin pages. Has the ability to change the status of findings and review dismissal requests.
Collaborator - Has edit access to all risk pages and the SBOM page. Has the ability to edit the status of findings but cannot review dismissal requests.
Read-Only - Has read-only access to all risk pages and the SBOM page. Cannot edit the status of risks within the Arnica solution and cannot review dismissal requests.
Can I manage Roles in Arnica and access through SSO?
Yes. Arnica's authentication and role assignment features are configured separately. It is possible to set up SSO login and have user roles configured within Arnica.
SSO RBAC Feature Dependencies
Arnica's SSO managed roles rely on attributes passed during the SSO authentication process, so It is not possible to map SSO based roles without configuring SSO authentication. To take advantage of this feature, ensure that you have properly integrated Arnica with your SSO solution and that you have included the "user. Groups" argument in the SSO authentication response. More detail on this configuration can be found in the Okta Integration page.
Last updated
