Introduction
Blameless’s Role-based Access Control (RBAC) system relies on a user-to-group and role (permissions)-to-group assignment dynamic. A group can contain one-to-many roles and one-to-many users, and users & roles may be in one or more groups.
It should be noted that:
- Users must be assigned to only one of the default groups; and,
- Only one of each of the groups created for each custom incident type.
Blameless offers a set of default groups based on incident response team roles to simplify getting started. In addition, custom groups offer flexibility for specific scenarios.
Default groups
To make the assignment process more intuitive for new and existing instances, Blameless has introduced three new default incident groups available by default to Administrators:
- Observer: Users who participate in discussion and complete tasks (i.e., minimum viable permission set).
- Responder: Users who frequently participate and/or drive incident resolution.
- Lead: Users who are frequently incident commanders and have reliability management duties.
These groups ⎯ accessible in the Identity Management → Groups tab ⎯ reflect the most common types of incident response team roles, with each group possessing its own unique permission set. They are designed to make user access assignment intuitive, restrict unnecessary data access, and maximize successful incident management across a wide spectrum of Blameless users.
Create a custom group
Custom groups provide scenario-specific flexibility, such as managing access to sensitive custom incident types. Every custom group features its own unique set of roles and users that you define.
To create a custom group:
- In the sidebar of the Blameless UI, select Identity Management.
- Note: By default, the Groups tab is selected.
- Select + Add Group.
- The Create new group dialog box appears.
- Specify details of your new group and select Create:
- In the Name of the group field, enter a descriptive name of the group.
- In the Group email address field, enter your email address as an Administrator.
- In the Description field (optional), enter a description of your group, particularly in terms of how the group is used for user assignment.
- Note: The group appears in the groups list and can also be discovered using the Filter tool.
- On the right of the group listing, select the vertical ellipsis and select Assign/Unassign roles.
- Select roles and features that all members of the group will be assigned ⏤ when done, select Assign and then, in the subsequent confirmation dialog box, select Confirm.
- In the Features column on the left, select a feature.
- A list of associated Roles appears in the column on the right.
- Select one or more roles.
- Repeat this process to assign more roles from different features, as needed. Selected features retain a blue highlight. Click on a role again to de-select it.
- In the Features column on the left, select a feature.
- On the right of the group listing, select the vertical ellipsis and select Assign/Unassign users.
- Select users to assign to the group ⏤ when done, select Assign and then, in the subsequent confirmation dialog box, select Confirm:
- Tick checkboxes for all users to assign to the group; selected users are indicated by a blue highlight.
- Use the next page arrow icon to browse through multiple pages of users or use the Filter tool to quickly find a specific user.
All done! The custom group is now active and the role assignments are enabled.
Automatic new user routing
The Default tag automatically routes all newly-added users to a selected group. This empowers organizations to streamline their role assignment process, particularly in terms of aligning with the principle of least privilege. In support of this, we encourage customers to use the Observer group as their default, as it contains the minimum viable permission set.
To assign default status to a group:
- In the sidebar of the Blameless UI, select Identity Management.
- Note: By default, the Groups tab is selected.
- On the right of the group listing, select the vertical ellipsis and select Set group as default.
- All newly-added users will now be assigned to the group.
Activate and deactivate users
As your team sizes change, it is often necessary to activate and/or deactivate users. This is facilitated via a simple toggle switch.
- In the sidebar of the Blameless UI, select Identity Management, and then select the Users tab.
- Under the Status column heading, select the toggle switch to activate or deactivate a user as needed.
Comments
0 comments
Article is closed for comments.