Internal tools RBAC system

Legacy RBAC Admin Tool: A Bottleneck for Productivity and Security

Our legacy role-based access control (RBAC) admin tool served as a significant roadblock to both productivity and security. Limited in its ability to adapt to evolving organizational structures, feature sets, and responsibilities, it lacked transparency regarding permission distribution, usage, logging, and onboarding for new internal users.

Maintaining individual user permissions became an endless task for a single point of contact, often resorting to ambiguous interpretations of roles and overly generous access grants due to the original system's rigidity. This tool created substantial security challenges, with comprehensive security audits taking between two and five business days to complete – and even then, with questionable accuracy.

Reimagining Access Control: A Multifaceted Approach

Recognizing the necessity for a robust, dynamic, and intuitive solution, I tackled revitalizing our RBAC system and underlying permissions service. Through collaboration with our security team, data protection department and engineers, we established a set of guiding principles for the new system:

• Principle of Least Privilege: Granting access solely to tools necessary for individual job duties, ensuring minimal exposure.

• Flexibility and Scalability: Accommodating the dynamic nature of organizational structures, roles, tools, and permissions without extensive engineering support.

• Data Clarity: Empowering security and data protection teams with immediate and granular visibility into employee tool access.

• Usability: Designing a user interface that's intuitive for users and readily configurable by software engineers.

• Expiring Access: Enabling temporary access to tools outside of core responsibilities for the duration of specific tasks or projects.

From Vision to Reality: A Collaborative Effort

Even after our product designer was reassigned, I took the lead on the project by designing the access workflow, creating wireframes in Figma, refining requirements, and working closely with engineers to rebuild the company's permissions service and the new React-based RBAC tool. Ultimately, I facilitated the migration of over 200 internal users to the updated system.

Furthermore, I conducted interviews with representatives from each department to understand their workflows and tool usage, allowing me to adjust user group configurations as needed. This comprehensive approach greatly reduced disruptions during the migration, testing, and support phases.

Impact and Outcomes: A Streamlined and Secure Landscape

The new tool introduced significant improvements:

• Simplified Onboarding and Offboarding: User management became straightforward and easily managed through a human-readable interface.

• Granular Permissions and Enhanced Security: Implementing role-specific access and restricting high-risk features to designated personnel.

• Temporary Access: Facilitating time-bound permission grants for specific needs, balancing operational efficiency with security principles.

• Efficient Backend Services: Permissions and roles could be created and integrated into the system quickly and easily as business needs evolved.

• Real-Time Auditing: Integrating the new permission service with our data pipeline enabled real-time user access audits via Looker or simple CSV exports, eliminating the need for direct tool access by security auditors. This reduction in complexity shortened audit times from 2+ days to around four total hours, allowing the data security team to increase audit frequency by 4x.

• Delegated Responsibilities: Ownership of user access management transitioned smoothly to the Identity team after a brief training and handover session.

In conclusion, developing and implementing this new RBAC system transformed user access management from a cumbersome process to a streamlined and secure operation. As a result, we witnessed enhanced security posture, responsibilities delegated to the appropriate departments, and empowered personnel across the organization.