SBN

Automating Role-Based Access Control Assignments in ShiftLeft CORE

In this article, we’ll cover how you can automate role-based access control (RBAC) assignments in ShiftLeft CORE. You can sign up for a free ShiftLeft CORE account and try this out for yourself.

Different strokes for different folks

ShiftLeft CORE’s role-based access control (RBAC) feature allows you to manage applications, teams, and roles via its API. This is helpful for administrators overseeing multiple teams, each with developers working on different projects, since they no longer have to manage access control on a per-developer basis. Here is a link to our RBAC documentation.

Different strokes for different folks

From my experience as a Customer Success Engineer, many people want to apply RBAC to their applications’ security findings. For example:

  • Some team members need access to several projects, requiring a wide variety of permissions
  • Some team members need access to one specific project (*not* the entire dashboard of applications)
  • Some team members need read-only access to all of the projects in the organization

Managing these different needs, however, can be challenging.

RBAC in ShiftLeft CORE

When you have a variety of roles, each requiring a specific set of permissions, role-based access control is useful. RBAC allows organizations to roll out users, groups, and teams in bulk while ensuring that each person has the permissions they need (and nothing more).

In addition to UI-based management, CORE’s role-based access control (RBAC) feature allows the management of applications, teams, and roles via its API. This is helpful for administrators overseeing multiple teams, each with developers working on different projects, since they no longer have to manage access control on a per-developer basis.

However, I thought this process could be simpler. To that end, I created a script that automates several processes related to role-based access control. The script performs a bulk operation using a CSV file of users, teams, organizations roles, and team roles, updating the ShiftLeft users as specified. With this script, organizations can easily map users, roles, and teams in bulk. The API documentation can be found here.

How the RBAC automation script works

The RBAC automation script is available on Github; you may find it helpful to refer to the repo during the subsequent portions of this article, which explain how the script works.

To run the automation script, you will need both your ShiftLeft Access Token (this is your Personal Access Token, not your CI Token) and your Organization ID.

The script accepts a CSV file as an input (note that the inputs are case-sensitive). Each row in the file defines:

  • A user (users are identified via their email address)
  • The team to which the user should be assigned (can be either a new or existing team in ShiftLeft)
  • The organization role that the user should be assigned (e.g., team defined, guest, member, power user, super admin)
  • The team role that the user should be assigned (e.g., team guest, team member, team admin)

The script works by searching for each user in ShiftLeft, then updating their team, organization role, and team role as defined in the CSV (if the team to which they should be assigned does not exist, ShiftLeft will create it).

It’s important to note, however, that the users being updated should already be verified users, either through an email invite or from just-in-time SSO provisioning (seats are limited in this case, however).

Finally, to use the script, run python3 main.py in the terminal from the root of the directory where you have saved the script.

python3 main.py

Conclusion

RBAC is helpful for management access control en masse, but ShiftLeft’s API allows you to take advantage of automation to make management easier while minimizing the potential to make mistakes during the assignment process.

If you are interested in learning more about RBAC implementation at ShiftLeft please check out this article.

You can sign up for a free ShiftLeft CORE account and try this out for yourself.


Automating Role-Based Access Control Assignments in ShiftLeft CORE was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog - Medium authored by Davis Barillas. Read the original post at: https://blog.shiftleft.io/automating-role-based-access-control-assignments-in-shiftleft-core-aea776f23543?source=rss----86a4f941c7da---4