You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
69 lines
2.7 KiB
69 lines
2.7 KiB
# authorize.conf
|
|
|
|
#
|
|
# capabilities
|
|
#
|
|
|
|
# least privileges approach: TrackMe uses a least privileges approach and does not require any specific capabilities out of TrackMe capabilities
|
|
# and standard capabilities
|
|
# TrackMe does not need users or admin to have list_settings or list_storage_password
|
|
|
|
# user operations: this capability allows all read operations for TrackMe, and should be granted to TrackMe users
|
|
[capability::trackmeuseroperations]
|
|
|
|
# power operations: this capability allows all write operations for TrackMe, this allows activities such as modifying entities, and should be granted to TrackMe power users
|
|
[capability::trackmepoweroperations]
|
|
|
|
# admin operations: this capability allows all write operations for TrackMe, and should be granted to TrackMe administrators
|
|
# this allows operations such as creating and managing tenants, Hybrid Trackers and so forth
|
|
[capability::trackmeadminoperations]
|
|
|
|
#
|
|
# roles
|
|
#
|
|
|
|
# TrackMe implements a 3 roles approach, each associated with a capability allow to manage granular RBAC on TrackMe:
|
|
# - trackme_user: this role can be granted or inherited, it is intended for read only users on TrackMe objects
|
|
# - trackme_power: this role can be granted or inherited, it is intended to provide read and write capabilities on TrackMe objects, but excludes operation like creating tenants or trackers
|
|
# - trackme_admin: this role can be granted or inherited, it is intended to provide previously mentionned capabilities, but in addition it allows full control and allows creating and managing tenants, trackers, etc
|
|
|
|
# In addition, when creating a tenant, admins will define which roles have which type of provileges on the tenant, TrackMe recycles these information automatically when creating objects like trackers.
|
|
|
|
[role_trackme_admin]
|
|
|
|
# Minimal import
|
|
importRoles = user;trackme_user;trackme_power
|
|
|
|
# capabilities (capabilities from trackme_user and trackme_power are inherited)
|
|
trackmeadminoperations = enabled
|
|
|
|
# Power users for TrackMe, this role can be granted or inherited for users who have write permissions on TrackMe objects, such as updating entities
|
|
[role_trackme_power]
|
|
|
|
# import roles
|
|
importRoles = user;trackme_user
|
|
|
|
# capabilities
|
|
trackmepoweroperations = enabled
|
|
|
|
# Non admin or privileged users can inherit from this role to get the minimal level of read only permissions for TrackMe
|
|
[role_trackme_user]
|
|
|
|
# import roles
|
|
importRoles = user
|
|
|
|
# capabilities
|
|
trackmeuseroperations = enabled
|
|
|
|
# provide TrackMe capabilities to admin
|
|
[role_admin]
|
|
trackmeuseroperations = enabled
|
|
trackmepoweroperations = enabled
|
|
trackmeadminoperations = enabled
|
|
|
|
# This is required for Splunk Cloud
|
|
[role_sc_admin]
|
|
trackmeuseroperations = enabled
|
|
trackmepoweroperations = enabled
|
|
trackmeadminoperations = enabled
|