Internal tools rbac system
Authorization manager console and permissions service
Authorization manager console and permissions service
Legacy RBAC Admin Tool: A Bottleneck for Productivity and Security
Our legacy role-based access control (RBAC) admin tool served as a significant roadblock to both productivity and security. Limited in its ability to adapt to evolving organizational structures, feature sets, and responsibilities, it lacked transparency regarding permission distribution, usage, logging, and new user onboarding processes.
Maintaining user permissions became an endless task for a single point of contact, often resorting to ambiguous interpretations of roles and overly generous access grants due to the original system's rigidity. This tool also created substantial security challenges, with comprehensive security audits taking between two and five business days for completion – and even then, with questionable accuracy.
Reimagining Access Control: A Multifaceted Approach
Recognizing the necessity for a robust, dynamic, and intuitive solution, I tackled revitalizing our RBAC system. Through collaboration with our security team, we established a set of guiding principles for the new system:
Principle of Least Privilege:Â Granting access solely to tools necessary for individual job duties, ensuring minimal exposure.
Flexibility and Scalability:Â Accommodating the dynamic nature of organizational structures, roles, tools, and permissions without extensive engineering support.
Data Clarity:Â Empowering security and data protection teams with immediate visibility into employee tool access.
Usability:Â Designing a user interface that's intuitive for users and readily configurable by software engineers.
Expiring Access:Â Enabling temporary access to tools outside of core responsibilities for the duration of specific tasks or projects.
From Vision to Reality: A Collaborative Effort
Despite our designer's reassignment, I actively drove the project forward including designing the access workflow, developing wireframes in Figma, refining requirements, and collaborating with engineers to rebuild the underlying permissions service, the new react-based RBAC tool, and ultimately, migrating 200+ internal users to the updated system.
Additionally, I interviewed representatives from each department to gain insights into workflows and tool usage and to adjust user group configurations accordingly. This thorough approach minimized disruptions during the migration, testing, and support phases.
Impact and Outcomes: A Streamlined and Secure Landscape
The new tool introduced significant improvements:
Simplified Onboarding and Offboarding:Â User management became straightforward, facilitated solely by job title information.
Delegated Responsibilities:Â Troubleshooting was streamlined through a concise Confluence guide and reporting system.
Empowered Identity Team:Â Ownership of user access management transitioned smoothly to the Identity team after a brief training and handover session.
Granular Permissions and Enhanced Security:Â Implementing role-specific access and restricting high-risk features to designated personnel.
Automated Temporary Access:Â Facilitating time-bound permission grants for specific needs, balancing operational efficiency with security principles.
Real-Time Auditing:Â Integrating the new permission service with our data pipeline enabled real-time user access audits via Looker or simple CSV exports, eliminating the need for direct tool access. This reduction in complexity shortened audit times from 2+ days to around four total hours, allowing the data protection team to increase audit frequency by 4x.
In conclusion, developing and implementing this new RBAC system transformed user access management from a cumbersome process to a streamlined and secure operation. As a result, we witnessed enhanced security posture, responsibilities delegated to the appropriate departments, and empowered personnel across the organization.