Role-Based Access Control
Observo implements granular authorization for resources through the Role-Based Access Control (RBAC) model, which facilitates efficient management of user access via defined users, roles, permissions, and resource paths. The hierarchical nature of RBAC allows these policies to extend to all sub-resources within the hierarchy, with the Organization serving as the root. All roles, permissions, and users are established within an organization, meaning that neither users nor roles can exist independently. Furthermore, our model permits users to be members of multiple organizations at the same time.
Roles
In Observo, each user is assigned one or more roles that define their level of access within the system. There are two categories of roles:
System
These are predefined by the system and cannot be altered or deleted. They provide essential access levels and form the basis for role management within an organization.
User
These roles are created and managed by the organization’s Admin users, tailored to meet the specific needs of the organization. An Admin can assign as many permissions as necessary to a user role for precise access control and can designate multiple users to that role. While there is no limit on the number of roles that can be created within an organization, role names must be unique within each organization.
System Roles
When an organization is onboarded to Observo, two predefined System roles — Admin and Viewer are created. During the onboarding process, the Admin role is assigned to the organization's root user.
Admin
Primarily assigned to the organization administrator, this role grants complete control over all resources and settings.
Viewer
This role provides read-only access to resources, allowing users to view data without the ability to make any modifications.
User Assignment
A user can be assigned one or more roles, which provide the necessary permissions to carry out their tasks. This flexible structure enables users to combine roles to access various sets of resources according to their responsibilities.
Permissions
Permissions specify the actions that users are allowed to perform on resources. These permissions are associated with a single role and cannot be shared among multiple roles. Each role is linked to a specific set of permissions that regulate actions such as:
Viewing resources
Creating new resources
Modifying existing resources
Deleting resources
Resource Types
Observo supports permission management across four key resource types:
Sites
Pipelines
Sources
Destinations
These resources are central to the platform, and permissions are structured to ensure that users can access only the data and actions necessary for their role.
Relationships in RBAC
The RBAC model in Observo defines the following relationships between users, roles, and permissions:
Users and Roles
Many-to-many relationship, allowing users to hold multiple roles, each granting different permissions.
Roles and Permissions
One-to-many relationship, where each role can have multiple permissions assigned to it.
Users and Permissions
Users are not directly assigned permissions. Instead, they gain access through the roles associated with them.
Role Uniqueness
Each role is unique within an organization, ensuring that roles are distinct and tailored to the organization’s needs.
Permission Uniqueness
Permissions are unique within the scope of a role. An organization can have multiple permissions with the same name across different roles.
Last updated
Was this helpful?