🔐 RBAC and Authorization

SecTrail CM offers a secure and flexible authorization system with enterprise-level Role-Based Access Control (RBAC). Centrally manage all security layers from user management to permission control.

Why RBAC?

Certificate management is a sensitive operation. Wrong people performing critical operations can lead to security breaches. With RBAC, you ensure that each user has only the permissions appropriate for their role.

Core Principles

• Least Privilege - Users are given only the minimum permissions they need
• Separation of Duties - Critical operations are distributed among different roles
• Defense in Depth - Multi-layered security control is provided

Key Features

👥 Flexible User Management

SecTrail CM supports multiple user sources to meet different enterprise needs:

📁 Active Directory (AD) / LDAP Integration

Use your existing enterprise identity infrastructure:

• Automatic Synchronization - User information is automatically updated
• Group-based Management - Map AD groups directly to roles
• Centralized User Management - User addition/removal is done in AD

👤 Local User Accounts

Independent user management:

• For external consultants and temporary users
• Alternative for users without AD access
• Customizable password policies
• Manual user creation and management

🔄 Hybrid Management

You can use both methods simultaneously. For example, employees can log in with AD while external consultants can use local accounts.

🔐 Role-Based Access Control (RBAC)

Powerful and flexible role management system:

🏗️ Hierarchical Role Structure

• System Roles - Immutable predefined roles
• Custom Roles - Create roles specific to your organization
• Role Inheritance - Roles inheriting permissions from each other

🎯 Granular Permission Control

Separate permission definition for each operation (CRUD + Execute model):

Permission	Description	Example
Create	Add new resource	Create new certificate request
Read	View information	View certificate details
Update	Modify existing resource	Update certificate information
Delete	Remove resource	Delete certificate or CA
Execute	Trigger operation	Certificate renewal, deployment

🏢 Organization and Group Management

👥 User Groups

Organize users:

• Department-based - IT, DevOps, Security, Network teams
• Project-based - Teams for specific projects
• Region/Location-based - Istanbul, Ankara, Izmir offices
• Bulk Role Assignment - Automatic role distribution to groups

⚡ Dynamic Membership

Automatic group membership management:

• AD Group Synchronization - Active Directory groups are automatically synchronized
• Rule-based Assignment - Automatic group membership based on user attributes
• Attribute Filtering - Filtering based on attributes like department, title, location

📊 Detailed Audit and Monitoring

Record all authorization operations and meet compliance requirements:

📝 User Activity Log

Monitor all user interactions:

• ✅ Who logged into the system when?
• ✅ What operations were performed?
• ✅ Which resources were accessed?
• ✅ Failed login attempts
• ✅ IP address and user agent information

🔄 Role and Permission Changes

Track authorization changes:

• Role Assignment/Removal - Who assigned/removed which role to whom, when?
• Permission Changes - Which permissions were added/removed?
• Group Membership Changes - Complete history of group memberships
• Change Author Information - The person who made each change is recorded

📈 Compliance Reports

Audit and compliance reports:

• User Access Rights - Report of each user's permissions
• Active/Inactive User List - User analysis by usage status
• Last Login Times - User activity tracking
• Permission Change History - Changes made within a specific date range
• Privileged User Report - List of highly authorized users

---

🎭 Predefined Roles

SecTrail CM offers ready-made roles for quick setup:

Role	Description	Basic Permissions	Use Case
🔴 Admin	System administrator with all permissions	• All modules: full access • User management • System settings • Role definition	For system administrators and IT leaders
🟢 API	System user for API access	• Certificates: read, execute • Integrations: execute • API: full access	For automation and integration systems

Custom Role Definition

These roles meet basic needs. You can create new roles based on your organization's special requirements or customize by cloning existing roles.

---

💼 Use Cases

🏢 Scenario 1: Department-based Access

Situation: IT department manages all certificates while DevOps team only sees and can renew certificates for their own projects.

Solution:

• IT team is assigned the Certificate Manager role
• A custom DevOps Certificate Operator role is created for DevOps team
• Access is restricted with project-based tags

Roles:
├── IT Team → Certificate Manager (all certificates)
└── DevOps Team → DevOps Certificate Operator (only tag:project=devops)

✅ Scenario 2: Approval Mechanism

Situation: Junior employees can create certificate requests but cannot deploy certificates to production environment without manager approval.

Solution:

• Juniors get the Certificate Requester role (create, read permissions)
• Managers get the Certificate Approver role (execute, deploy permissions)
• Approval mechanism is set up with workflow system

Workflow:
1. Junior → Creates certificate request (create)
2. Manager → Reviews and approves request (approve)
3. System → Deploys approved certificate (execute)

👨‍💼 Scenario 3: External Consultant Access

Situation: Temporary consultant workers can be given limited-time and read-only access to specific certificates.

Solution:

• Local user account is created (outside AD)
• External Auditor role is assigned (read-only permissions)
• Account expiration date is set
• Access is restricted to specific certificate groups

Consultant Profile:
├── User Type: Local (outside AD)
├── Role: Certificate Viewer (read-only)
├── Access Duration: 90 days
└── Restriction: Only "Production-Web" certificates

🏗️ Scenario 4: Multi-Tenant Structure

Situation: Different companies or business units can use the same platform but cannot access each other's data.

Solution:

• Separate organization is defined for each company/unit
• Organization-based data isolation is provided
• Users access only their organization's data

Organization Structure:
├── Company A
│   ├── Users: user1@companyA.com, user2@companyA.com
│   └── Certificates: *.companyA.com
├── Company B
│   ├── Users: user1@companyB.com, user2@companyB.com
│   └── Certificates: *.companyB.com
└── Company C
    ├── Users: user1@companyC.com
    └── Certificates: *.companyC.com

---

More Information

Review the User Guide: RBAC Management page for user management and role configuration.