Overview

Role-based Access Control (RBAC), gives administrators granular control over permissions within PlexTrac with Roles. Access to all parts of the platform, and what actions can be taken by users, can be controlled using the Roles assigned to individual users.

This capability greatly enhances the flexibility and usability of PlexTrac. With RBAC, you can define permissions for customers in a customer facing portal, limit access to client data to only certain users, and customize report classification to prevent all users from being able to see sensitive data.

RBAC can be viewed, modified, and accessed through the Account Admin Module, under Security -> Role Based Access

Roles and Permissions

PlexTrac’s previous access control system was static, and not able to be customized. Now every permission is configurable through custom roles. There are three default roles:

● Administrator ● Standard User ● Analyst

The permission for the default roles listed above are STATIC. These are uneditable for backwards-compatibility. However, you can define NEW ROLES and all the permission associated with that role. Additionally, users can belong to multiple roles and will have the SUM of all the permissions of all the roles they belong to.

The permissions are broken into two categories and need to be assigned separately:

  1. Platform-wide Permissions

  2. Client-specific Permissions

Client-specific Permissions are granted at the CLIENT level!

Platform-wide Permissions

These include access to specific modules (WriteupsDB, Assessments, etc...), the Account Admin section, Platform settings, and user management. These permissions are specific to platform access and are assigned via the Role Based Access module in Account Admin. If a user is assigned multiple roles, the permissions from each role are added together and then given to the user.

Platform-wide Permissions are additive, not prohibitive!

Client-specific Permissions

These are the permission specific to use, access, modification, and so forth for Clients, Reports, and Findings. These permissions are specific to Clients and are assigned on a Client level via the Client -> User Access section of the Client Details (for more details, see Add User to Client). The Role assigned to a user at the Client level sets the Client, Report, and Finding permissions for that Client, its Reports, and each Report's Findings. These Client-specific permission are different from the Platform-wide Permissions. The below picture details most of these controls:

Default Group

The default group allows users to see all Clients in the platform and assigns their Platform-wide Role and its permissions to each Client as the Client-specific permissions set. However, the Client-specific permission can be changed regardless of the default group status at the Client level. A user can have a completely different set of permissions for every single client to whom they have been granted access.

Classification Tiers

These allow specific users to view and modify reports for a specific client based on the Report Classification Tier. For example, you might authorize a majority of user to a client to work the generic reports, but may create a Report at a higher classification tier to specific users with the corresponding clearance. That way only those cleared users will be able to see and edit that report.

Classification tiers are fully customizable and can be edited in the Admin Dashboard. They are off by default, but if turned on, the lowest level of default classification with the least access is Tier 1 and the highest level with the most access is Tier 3.