RBAC: Roles

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.0p0 Hot Tips

CONFIDENTIAL

CodeSecure Inc

RBAC: Roles

Under role-based access control (RBAC), each user is assigned one or more roles, each of which holds some number of role-permissions. The set of permissions that apply to a user is then the set of all permissions held by at least one of the user's roles.

Roles are securable resources.

This page describes the use of roles in CodeSonar, including the special built-in roles.

Role Inheritance
Default Role
Built-in Roles
Role Properties
Roles as Securable Resources
Modifying Roles

Under role-based access control (RBAC), each user is assigned one or more roles, each of which holds some number of role-permissions. The set of permissions that apply to a user is then the set of all permissions held by at least one of the user's roles.

A role corresponds to the notion of a type of user, and captures the intuition that users of the same type will have the same degree of access to CodeSonar information and functionality. In general, the number of roles on a hub will be much lower than the number of users.

When you start a new hub, it will be set up with four built-in roles. You can modify these roles to various extents; you can also define as many new roles as you wish.

Role Inheritance

Each role can have any number of parent roles (including zero), and can be the parent of any number of other roles (including zero). A role may be directly assigned any number of role-permissions, and will also inherit the role-permissions of all its parents.

The remainder of this subsection uses an illustrated example to describe role inheritance in detail.

The following diagram shows one way that a set of roles {A, B, C, D, E, F, G} might be interrelated. Note in particular that there is no requirement that the roles all belong to a single overall hierarchy.

diagram showing direct role relationships: A is a parent of B, B and C are parents of D, E is parent of F, G is a singleton

For the remainder of this discussion, we will concentrate on the example role hierarchy that contains roles {A, B, C, D}.

We say that:

A is a parent of B; B and C are parents of D.
A is an ancestor of B; A, B, and C are ancestors of D.
(Conversely: B is a descendant of A; D is a descendant of A, B, and C.)
A is an indirect ancestor of D.

The Role Ancestors page shows a role's parent roles and its indirect ancestor roles.

diagram showing direct and indirect role relationships: A is a parent of B, B and C are parents of D, A is an indirect ancestor of D

We say that a user who is directly assigned a role R is indirectly assigned all the roles that are ancestors of R.

We introduce two users to the example.

User U is directly assigned role C. Since C has no ancestor roles, this does not entail any indirect role assignments.
User V is directly assigned roles C and D, and is therefore indirectly assigned roles A, B, and C since these are the ancestors of D. User V is therefore assigned role C both directly and indirectly: this has no functional significance from the user's point of view, but does mean that an administrator who subsequently wishes to remove C from this user must take care to address both the direct and the indirect relationship.

The User Roles and Role Users pages show the user/role mapping from different perspectives. User Roles shows a user's directly and indirectly assigned roles; Role Users shows the directly and indirectly assigned users for a particular role.

diagram showing user-role relationships. Given same {A,B,C,D} hierarchy as previously: user U is directly assigned role C, user V is directly assigned roles C and D (and therefore is indirectly assigned roles A, B, and C).

We introduce three resource-permissions to the example: Q-1 (denoting permission 1 on resource Q), R-2, and S-3. To avoid cluttering the example with resource-inheritance relationships, we stipulate that all three involve resources of independent type, so can only be directly assigned or role-inherited.

Role A is directly assigned resource-permission Q-1.
Role A has no parent roles, so has no role-inherited role-permissions.
Role B is directly assigned resource-permissions Q-1 and R-2. It also inherits Q-1 from its parent role A.
Role C has neither direct nor indirect permissions.
Role D is directly assigned resource-permission S-3. It also inherits Q-1 and R-2 from its parent role B.

The Global Role-Permissions page and Resource Role Permissions pages show both direct and and indirect permissions for each role.

diagram showing role-permission relationships. Given same {A,B,C,D} hierarchy as previously: roles A and B are directly assigned resource-permission Q-1; B is directly assigned R-2; D is directly assigned S-3. B is therefore indirectly assigned Q-1; D is indirectly assigned R-2 and Q-1

The full picture is therefore as follows.

User U has no permissions.
User V has resource-permissions Q-1, R-2, and S-3. Of these, S-3 is a direct resource-permission and the other two are role-inherited.

diagram showing user-role-permission relationships as a combination of the previous two diagrams.

Default Role

One of the assigned roles for each user is designated the default role for that user. A user's default role is used to establish the initial role-permission assignments for new independent resources created by that user.

Enabled cannot be the default role for any user.
If a user's default role is removed from their set of assigned roles, their default role is set to Anyone.
If a user's default role is deleted from hub, their default role is set to Anyone.

To set the default role...

...for your own hub user account, use the Account tab of a Settings page.
...for another hub user account, use the Account Settings tab of the Account Editor for that account. (Requires G_ADMINISTER_USERS permission.)

Built-In Roles

CodeSonar ships with five roles: Administrator, Manager, Anyone, Enabled, and User. Of these, Administrator, Anyone, and Enabled have special protections: they cannot be deleted or renamed.

Each of these roles is assigned a set of default role-permissions when a new hub is created. These assignments can be adjusted subsequently, except that the immutable role-permissions for each role cannot be removed.

Administrator	Provides full access to hub administration functionality and to all analysis results. Most of the default permissions for the Administrator role are immutable. Special user Administrator always has the Administrator role.
Manager	Provides access to some hub administration functionality, but is not as powerful as Administrator. Most of the default permissions for the Manager role are mutable. By default, no user has the Manager role.
Anyone	By default, provides almost no permissions. The default permissions for the Anyone role are mutable. All users always have the Anyone role, including special user Anonymous.
Enabled	Grants the ability to sign in. G_SIGN_IN is the only default permission for the Enabled role, and it is immutable. The Enabled role cannot be assigned any parent roles. You can use the Enabled role to manage user activation and deactivation. You can always activate a user by assigning the Enabled role to that user. (If you have added further permissions to the Enabled role, those permissions will also apply.) If you avoid assigning G_SIGN_IN permission to any other role, you will always be able to deactivate a user by simply removing the Enabled role from that user. (If you have assigned G_SIGN_IN permission to other roles, you will need to remove all such roles from any user you want to deactivate.) For maximum simplicity in enabling and disabling users, we recommend that you do not modify the Enabled role, and that you do not assign G_SIGN_IN permission to any other role.
User	By default, provides read and write access to analysis information and a subset of hub administration information; grants the ability to create a new account. All default permissions for the User role are mutable.

Role Properties

Roles have the following properties.

Role Name	A short descriptive name for the role. Can be modified from the Role Ancestors and Role Users pages (if permitted for the role).
Role Description	A user-specified string containing a description of the role. Can be modified from the Role Ancestors and Role Users pages.
Role ID	A unique numeric identifier for the role. Cannot be modified.

Roles as Securable Resources

Roles are securable resources, with access controlled by the ROLE_* permissions. It is therefore possible to grant permission to edit role-permission and user assignments for individual roles, without needing to assign the G_ADMINISTER_USERS permission.

For example, suppose a hub has a project called ProjectA, with a role called ProjA that provides access to ProjectA and is assigned to all users who are working on that project. To delegate assignment/unassignment of the ProjA role to someone who does not have the special Administrator role, an administrator might create a new role called ProjAManager and assign it permission ROLE_ASSIGN for ProjA. When a new user starts working on ProjectA, anyone with the ProjAManager role can assign them the ProjA role without needing to go through a hub administrator. Similarly, if a user stops working on Project A, anyone with the ProjAManager role can remove ProjA from the user's set of assigned roles.

Modifying Roles

CodeSonar provides the following operations on roles.

Operation	Links
Add a new role.	GUI Reference: Roles Task: Grant Select Users Access to a Project
Delete a role.	GUI Reference: Roles GUI Reference: Role Users GUI Reference: Role Ancestors
Change a user's default role.	GUI Reference: Account Editor
Change a user's role set [*]	GUI Reference: User Roles Task: Modify a User's Roles Authentication plug-ins can be configured to update a user's role set each time they sign in: The LDAP plug-in provides the option to specify mappings from LDAP group DN to CodeSonar role. The SSO SAML plug-in provides the option to specify user roles in the POST request sent by your identity provider. The OIDC plug-in can be configured to use a specified OIDC claim as a source of user role information. You can specify role updates for a custom plug-in through the return values of the get_user(), get_user_from_cert(), and get_user_from_request() functions.
Change a role's user set [*]	GUI Reference: Role Users Task: Grant Select Users Access to a Project
View role information; edit its name and description.	GUI Reference: Role Users GUI Reference: Role Ancestors Task: Grant Select Users Access to a Project
Adjust a role's parent set.	GUI Reference: Role Ancestors
Adjust a role's permission set.	GUI Reference: Global Role-Permissions GUI Reference: Resource Role-Permissions Task: Grant Select Users Access to a Project Task: Modify a Role's Permissions

[*] "Changing a user's role set" and "changing a role's user set" represent two perspectives on the same underlying operation: changing the mapping between users and roles. Similarly, the Role Users and User Roles page types provide dual views of that mapping. You can use either page type to change user/role assignments: in general, choose Role Users if you are focused on a particular role and User Roles if you are focused on a particular user.