Skip to Content

Access Control Explained

Role Based Access Control (RBAC) Explained


Overview: This article explains how to implement Role-Based Access Control (RBAC) in SSH, detailing how to manage user access to servers, server groups, web portals, and specific actions based on their roles.


RBAC or Role Based Access Control in SSH is a method to restrict the access of SSH users or server administrators to the remote servers based on their role. Most of the enterprises are having thousands of servers. Granting SSH access to employees is a big headache or security concern for the companies. Using Role based access control, we can ensure that ssh users or system administrators are using only the relevant information they needs to perform their task. We can restrict their access to only a particular group of servers and also can control their actions on those servers too.

How to grant role based access control in SSH?

  • Restrict user actions in server
  •  Map ssh user to a particular server
  •  Map ssh user to group of servers
  •  Map ssh user group to single server
  • Map ssh user group to group of servers etc

How to configure rbac in SSH ?

Group your staff and your servers into different categories and decide which user or group of users get access to which server or group of servers.


UserGroup to ServerGroup

Enable or disable access to a group of servers (ServerGroups) for a group of users or in other words regulate access of user groups to server groups.

  • Select User group Use the drop down menu to choose the UserGroup whose accessibility needs to be altered.
  • Non-Accessible Server Groups The list of ServerGroups that is not accessible to the above selected UserGroup is in the right box. Use Add All to add all or use  to add them one by one.
  • Accessible Server Groups The list of ServerGroups that is accessible to the above selected UserGroup is in the left box. Use Remove All remove all server groups or use  to remove them one by one.
  • Click the Save button to save the changes.

 

User to ServerGroup

Enable or disable access to a group of servers (ServerGroups) for individual users or in other words regulate access of users to ServerGroups.

  • Select the User for which you need to change the access.
  • Select server group(s) from the non-accessible or accessible list as you want and move it to the other list using the  operators.
  • Click the Save button to save the changes.

User to Server

Enable or disable access to individual server for individual users or in other words regulate access of user to server.

 

  • Select the user for which you need to change the access using SelectUser.
  • Tick the checkboxes of ServerGroup or Servers that the user needs to be granted access to.
  • Click Save to save the changes.

 

UserGroup to WebPortalGroup

Enable or disable access to a groups of webportals (PortalGroups) for a group of users or in other words regulate access of usergroup to portalgroups.

 

  • Select User group Use the drop down menu to choose the UserGroup whose accessibility needs to be altered.
  • Non-Accessible Portal Groups The list of PortalGroups that is not accessible to the above selected UserGroup is in the right box. Use Add All to add all or use  to add them one by one.
  • Accessible Portal Groups The list of PortalGroups that is accessible to the above selected UserGroup is in the left box. Use Remove All remove all portal groups or use  to remove them one by one.
  • Click the Save button to save the changes.

 

User to WebPortalGroup

Enable or disable access to a groups of portals (PortalGroups) for individual users or in other words regulate access of users to PortalGroups.

 

  • Select the User for which you need to change the access.
  • Select  WebPortalgroup(s) from the non-accessible or accessible list as you want and move it to the other list using the  operators.
  • Click the Save button to save the changes.

 

User to WebPortal

Enable or disable access to individual webportal for individual users or in other words regulate access of user to webportal.

 

  • Select the user for which you need to change the access from the User dropdown menu.
  • Tick the checkboxes of  Webportal Group or Webportal that the user needs to be granted access to.
  • Click Save to save the changes.

 

Usergroup - Actions

Enable or disable access to webpanel features for Usergroups or in other words Control access of a UserGroup to webpanel features/backend servers access in ssh/ezsh features.

 


 
Gateway (aka Bastion Host)
Allow/Disallow access to Ezsh shell for the gateway user
Allow SCP   
Allow/Disallow SCP access for the gateway user
Allow SFTP 
Allow/Disallow SFTP for the gateway user
Allow Mosh
Allow/Disallow MOSH  for the gateway user
Servers
Add server
Ability for the user to add a server
Ability for the user to edit  a server
Ability for the user to delete server
Ability for the user to view the server details
Ability for the user to view the super group
Ability for the user to view the server password
Ability to view ssh private key and passphrase in back-end
Ability to view encrypted server field
Ability to use parallel shell in ezsh shell
Ability to use passwordless controlpanel login
Ability to use passwordless datacenter login
Ability to use RDP login
Ability to use IPMI login
Ability to use remote console login
Ability to reset the server root passwords
Ability to resetup the ssh authentication key
Ability to reset the ssh fingerprint
Ability to add the server group
Ability to edit the server group
Ability to delete server group
Ability to view mExec lists
Ability to add add new mExec lists
Ability to edit mExec list
Ability to delete mExec list
Ability to change servers in mExec list
Ability to add the sub ssh user
Ability to delete sub ssh user
Ability to view sub ssh user lists
Ability to add the sub ssh user maps
Ability to edit sub ssh user maps
Ability to delete sub ssh user maps
Ability to view sub ssh user maps lists
Ability to add private key
Edit Private Key       
Ability to edit private key
Ability to delete private key
Ability to establish SSH Tunnel from gateway to this server
Ability to SSH via web browsers such as Chrome/Firefox
Users
Ability to view the Userlist
Ability to add a user
Ability to edit a user
Abiltiy to delete a user
Ability to view the group list
Ability to add a usergroup
Ability to edit a usergroup
Ability to delete a usergroup
Ability to view ssh logs
Ability view  scp logs
Ability to view web activity logs
Ability to view shell activity
Ability to view server activity
Ability to view user status
Ability to view work summary
Users status
User will able to view logs only when he is authorized by another user
Access Controls
Grant privilege to choose UserGroup-ServerGroup action
Grant privilege to user on User-ServerGroup action
Grant privilege to user on the User-server action
Grant privilege to user on User-Portalgroup action
Grant privilege to user on User-Portal action
Grant privilege to user on UserGroup-Aciton
Grant privilege to user on executing the User-Action action
Grant privilege to user on the User-SSHKey action
Reset All User Specifc Overrides
Grant privilege to user so that a user's acl is set back to default
Privilege to grant actions access
Grant privilege to user so that he can modify the access control of other users
Settings
All
Grant user all actions under settings tab
Command Guard Manager
All
Grant user All actions under the command guard manager tab
Help
All
Grant user All actions under  Help tab    
Cluster
All
Grant user All actions under Cluster tab
Web Portals
Ability to view the webportal list only
Ability to view the details of a webportal with detailed view. This option has to be disabled along with the edit portal option below to prevent the display of webportal info
Ability to add a  new webportal
Ability to edit an exisiting webportal. This option has to be disabled along with the view portal option to prevent the display of webportal info
Ability to login into the portal with one click

 

User SSH Key

Enable or disable access to individual SSH Key for individual users or in other words regulate access of user to ssh key.

 

  • Select the user for which you need to change the access from the User drop down menu.
  • Tick the check boxes of  SSH Key that the user needs to be granted access to.
  • Click Save to save the changes.

Related articles

Reset access control for Ezeelogin Gateway users

Role Based Access Control in SSH

Reset access control override

How to grant a user access to control panel