Skip to main content

Home

RBAC roles

RBAC lets admins restrict the pages a specific end-user can view and how those pages are populated. Application tagging is intertwined with RBAC. While it is possible to use RBAC without defining applications tags, its usefulness is limited. See What is tagging? if you are not familiar with the concept of tagging and how to generate tags for Unravel to use.

The end-user's access is restricted based upon three factors
  1. Tags for the end-user

    You can create tags for

    End-users are then associated with the tags via LDAP or SAML. See com.unraveldata.login.mode.

    When RBAC is turned on an end-user's view is filtered based upon their tags. For instance, if a user only has the defined tag dept:marketing they can only see applications tagged with dept:marketing.

  2. Unravel default tag

    com.unraveldata.rbac.default is always used to filter the end-user's view. It is set to Username by default.

  3. Mode

    com.unraveldata.ngui.user.mode

    extended a user can access

    restricted a user can only access Application > Applications

What the end-user sees when RBAC is turned on

The available pages (as defined by com.unraveldata.ngui.user.mode) display applications contained in

(filtered end-user tags) (filtered by com.unraveldata.rbac.default)

Note

If com.unraveldata.rbac.default is not set and an end-user has no tags, the viewable pages are unpopulated (blank).

How to exempt an end-user from RBAC

To exempt an end-user from RBAC, you must make them a read-only admin.