# authorize.conf

#
# capabilities
#

# least privileges approach: TrackMe uses a least privileges approach and does not require any specific capabilities out of TrackMe capabilities
# and standard capabilities
# TrackMe does not need users or admin to have list_settings or list_storage_password

# user operations: this capability allows all read operations for TrackMe, and should be granted to TrackMe users
[capability::trackmeuseroperations]

# power operations: this capability allows all write operations for TrackMe, this allows activities such as modifying entities, and should be granted to TrackMe power users
[capability::trackmepoweroperations]

# admin operations: this capability allows all write operations for TrackMe, and should be granted to TrackMe administrators
# this allows operations such as creating and managing tenants, Hybrid Trackers and so forth
[capability::trackmeadminoperations]

#
# roles
#

# TrackMe implements a 3 roles approach, each associated with a capability allow to manage granular RBAC on TrackMe:
# - trackme_user: this role can be granted or inherited, it is intended for read only users on TrackMe objects
# - trackme_power: this role can be granted or inherited, it is intended to provide read and write capabilities on TrackMe objects, but excludes operation like creating tenants or trackers
# - trackme_admin: this role can be granted or inherited, it is intended to provide previously mentionned capabilities, but in addition it allows full control and allows creating and managing tenants, trackers, etc

# In addition, when creating a tenant, admins will define which roles have which type of provileges on the tenant, TrackMe recycles these information automatically when creating objects like trackers.

[role_trackme_admin]

# Minimal import
importRoles = user;trackme_user;trackme_power

# capabilities (capabilities from trackme_user and trackme_power are inherited)
trackmeadminoperations = enabled

# Power users for TrackMe, this role can be granted or inherited for users who have write permissions on TrackMe objects, such as updating entities
[role_trackme_power]

# import roles
importRoles = user;trackme_user

# capabilities
trackmepoweroperations = enabled

# Non admin or privileged users can inherit from this role to get the minimal level of read only permissions for TrackMe
[role_trackme_user]

# import roles
importRoles = user

# capabilities
trackmeuseroperations = enabled

# provide TrackMe capabilities to admin
[role_admin]
trackmeuseroperations = enabled
trackmepoweroperations = enabled
trackmeadminoperations = enabled

# This is required for Splunk Cloud
[role_sc_admin]
trackmeuseroperations = enabled
trackmepoweroperations = enabled
trackmeadminoperations = enabled