Creating and using security policies¶
What are policy statments?¶
Policy statements are JSON-formatted documents that list actions that are either allowed or denied for a certain resource.
Each policy can contain one or more statements listed after each other. Each statement will say three things:
- The resources covered.
- The actions controlled.
- If the actions are to be allowed or denied.
If you have both a statement that allows an action and another statement that disallows it, the end result will be that access is denied, since explicit denies have higher priority.
Policy types¶
You can use two types of policies:
-
Managed policies – Managed policies that are created and managed by Rational BI. If you are new to using policies, we recommend that you start by using Rational BI managed policies.
-
Custom policies – Custom policies that you create and manage in your Rational BI account. Customer managed policies provide more precise control over your policies than Rational BI managed policies. You can create and edit a Rational BI policy by creating the JSON policy document directly.
Example policy¶
This is an example policy that permits reports to be listed for all accounts:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"account:listReports",
],
"Resource": [
"*"
]
}
]
}
The policy above has a single statement but any number of additional statements can be included in the list.
The statement itself has three entries:
- The Effect which can be either Allow or Deny.
- The Action which is a list of actions that can be performed. The full set of possible actions is listed here.
- The Resource that is being controlled. The asterisk (*) indicates that it applies to all resources. The applicable resources differ per action.
Constructing policy statements can be difficult. Contact support@rationalbi.com if you would like help and we will be happy to assist.
Custom policy statements require an enterprise subscription.
System managed policies¶
| Policy | Description |
|---|---|
| Administrator | The user is an administrator at the organizational level and can invite new users, promote users to owner status, manage and delete users as well as create and delete workspaces. Only assign ownership status to those that are trusted to see all data associated with the organization as well as manage and invite new users. |
| Everyone | Basic access to organizational information as well as the ability to view the accounts under the organization. |
| Power Users | Access all accounts and read and write reports and data. |
| Database Managers | Permissions to upload, manage and delete databases of existing datasets. Cannot change schemas. |
| Report Builders | The ability to create, edit and delete reports. |
| Dataset Designers | Create, design, modify and delete datasets and schemas. Users with this policy can also upload, manage and delete databases. |
| Report Consumer | Read-only access to all reports and data in the account. |
To limit account access, create a policy with a DENY permission to override.
Permissions¶
Permissions let you specify access to Rational BI resources. Permissions are granted to groups and by default these groups start with no permissions.
In other words, members of groups can do nothing in Rational BI until you grant them your desired permissions. To give entities permissions, you can attach a policy that specifies the type of access, the actions that can be performed, and the resources on which the actions can be performed. In addition, you can specify any conditions that must be set for access to be allowed or denied.
You can select a predefined policy managed by Rational BI or create your own using the policy editor.
To assign permissions to a user, group, role, or resource, you create a policy that lets you specify:
- Actions – Which Rational BI service actions you allow. Any actions that you don't explicitly allow are denied.
- Resources – Which Rational BI resources you allow the action on. Users cannot access any resources that you do not explicitly grant permissions to.
- Effect – Whether to allow or deny access. Because access is denied by default, you typically write policies where the effect is to allow.
Actions¶
Actions are used within policy statements to determine what tasks a user is allowed to perform. Some actions can be filtered by the UUIDs of the object. This can be used as a means to set up granular permissions to subsets of of an organization where access should be partitioned.
Organization-level Actions¶
| Action | Resource | Description |
|---|---|---|
| organization:describeOrganization | Read basic information about the organization, such as name and description. | |
| organization:updateOrganization | Update basic information about the organization, such as name and description. | |
| organization:associateUser | Associate an existing user with the organization. | |
| organization:putOrganizationLogo | Upload a new logo for the organization. | |
| organization:createUser | Create or invite a new user into the organization. | |
| organization:updateUser | user/useruuid | Update information about an existing user. |
| organization:describeUser | user/useruuid | Get information about a user. |
| organization:deleteUser | user/useruuid | Delete an existing user. |
| organization:listUsers | List the users associated with the organization. | |
| organization:listPolicies | List the security policies defined within the organization. | |
| organization:describePolicy | policy/policyuuid | Retrieve the name, description and policy statement assoicated with a security policy. |
| organization:deletePolicy | policy/policyuuid | Delete an existing security policy. |
| organization:createPolicy | Create a new security policy. | |
| organization:updatePolicy | policy/policyuuid | Update an existing security policy. |
| organization:assignPolicy | Assign a security policy to a group. | |
| organization:listGroups | List the groups associated with the organization. | |
| organization:deleteGroup | Delete an existing group. | |
| organization:createGroup | Create a new group. | |
| organization:updateGroup | Update an existing group. | |
| organization:describeGroup | Return information such as name and description of a group, as well as group membership information. | |
| organization:deleteAccount | Return information about an account. | |
| organization:listAccounts | List existing accounts. | |
| organization:createAccount | Create a new account. | |
| organization:readAccount | Read data from an account. | |
| organization:updateAccount | Update meta-information about an account, such as name, description, time zone and currecy. | |
| organization:describeBilling | Return information about the current plan, billing information and invoices. | |
| organization:updateBilling | Update the current plan, input new payment methods and pay invoices. | |
| organization:deleteOrganization | Delete the organization. |
Account-level Actions¶
| Action | Resource | Description |
|---|---|---|
| account:listDatasets | Enumerate the datasets within an account. | |
| account:describeDataset | dataset/datasetuuid | Retrieve metadata related to a dataset such as the name and description. This does not include the data in databases nor does it include the database schema. |
| account:createDataset | Create a new dataset. | |
| account:deleteDataset | dataset/datasetuuid | Delete an existing dataset. |
| account:updateDataset | dataset/datasetuuid | Update the metadata properties of an existing dataset. |
| account:shareDataset | dataset/datasetuuid | Control the sharing properties of a dataset. Note that sharing a dataset will expose it to the non-authenticated users. |
| account:listReports | Enumerate the reports within an account. | |
| account:describeReport | report/reportuuid | Read metadata for a single report. Returns similar data that would be returned through the listReports action, but requires a specific report it to be provided. |
| account:deleteReport | report/reportuuid | Delete an existing report. |
| account:updateReport | report/reportuuid | Edit an existing report. |
| account:readReport | report/reportuuid | Read the report defintition of an existing report. |
| account:createReport | Create a new report. | |
| account:readReportHistory | report/reportuuid | Read the history of prior versions of a report. |
| account:readReportScreenshot | report/reportuuid | Retrieve screenshots of the current or historical versions of a report. |
Dataset-level Actions¶
| Action | Resource | Description |
|---|---|---|
| dataset:listDatabases | dataset/datasetuuid | Enumerate the databases on file for a database. |
| dataset:updateDatabase | dataset/datasetuuid/databaseuuid | Flag a specific database associated with a dataset active. |
| dataset:deleteDatabase | dataset/datasetuuid/databaseuuid | Delete a database. |
| dataset:readDatabase | dataset/datasetuuid/databaseuuid | Retrieve and read a database. |
| dataset:createDatabase | dataset/datasetuuid/databaseuuid | Create a new database within an existing dataset. |
| dataset:createSchema | dataset/datasetuuid | Create a new database schema. At the moment, only a single database schema per dataset is allowed. |
| dataset:readSchema | dataset/datasetuuid/schemauuid | Read the schema of an existing dataset. |
| dataset:updateSchema | dataset/datasetuuid/schemauuid | Modify the schema of an existing dataset. |
| dataset:deleteSchema | dataset/datasetuuid/schemauuid | Delete the schema of an existing dataset. At the moment, each dataset must have a single schema. |