This article intends to walk you through Role Based Access Controls.
For background, please take a look at the User Management guide.
Restore Visibility Estimated Read Time: 5 minutes
In this article:
What are Role-Based Access Controls (RBAC)?
Access groups enable the provisioning of user access to be administered at an access group level rather than at an individual user level in a Role-Based Access Control (RBAC) way.
Within Gatekeeper, the main object is the Contract record, as all other objects in Gatekeeper will link to a Contract record.
Within Contract records, there are three main objects to consider when provisioning your RBAC groups:
Entities - The legal Entities that make up your company that are a party to a contract.
Teams - These are the teams that your contract and vendor managers are grouped into. This is likely to be allocated via departments.
Categories - Categories are a way of grouping your Contracts into relevant groups to ensure categorisation is kept consistent across your Contract repository.
Your teams, categories, or entities may have been renamed within your tenant, but for this article, we will refer to them as their original names.
Additionally, we are able to provide access to specific Contracts and Vendors by way of RBAC.
Using any combination of these Objects, you can provide the correct level of access for your users.
For example, John is a part of the Legal Team and looks after Commercial Contracts only.
Using RBAC, we would be able to provide John with the ability to view Contracts and their associated Vendors by creating an RBAC group where the 'Team = Legal' & 'Category = Commercial'
The benefits of using RBAC:
1. Users can be provisioned with only the access they need and nothing else.
2. System administrators can manage access groups to administer user access, enabling them to manage many users in a scalable way.
Users can also be a part of many access groups, so using our example above, we would be able to further provision John with access by adding additional RBAC groups to John's permissions.
Setting the AND / OR Operator
When configuring RBAC Groups, it's important to understand the global setting of 'And' versus 'Or'.
This article here explains this in further detail, but in short:
- AND = more restrictive. E.g. 'Team = Legal' AND 'Category = Commercial'
- OR = less restrictive. E.g. 'Team = Legal' OR 'Category = Commercial'
The OR option would provide access to more objects, as it does not require the explicit combination of Legal AND Commercial. Instead, it would provide access to any Contracts where the Team is Legal and any Contracts where the Category is Commercial.
This is a Global Setting and so will dictate ALL RBAC Groups. So be sure to consider your use case carefully when deciding.
To set the Boolean Operator, we first must access 'Settings' > 'Configuration'
We then select 'Role Based Access Control (RBAC) Configuration'
We are then presented with the below screen:
You can now set your operator to your desired preference.
Creating an Access Group?
To create access groups, please see our guide