Adding Role-Based Access Control with Terraform#

Role-Based Access Control (RBAC) allows you to restrict access to Observe based on the assigned role in your organization. You can add users to groups with specific permissions that allow or deny actions within the Observe instance. For example, you may have users that you assign view-only privileges and allow them to view only certain Datasets within your Observe instance. For other users, you may assign a role to a user that provides access to Datasets and then perform activities within the Dataset, such as creating Dashboards or modeling the data using OPAL.

Built-In Group Permissions#

Each built-in group has permissions that allow the user to perform specific actions in Observe.

Reader Writer Administrator
  • Create, modify, and visualize individual Worksheets
  • Query shared Worksheets, Dashboards, and Datasets
  • View Monitors
  • All Reader actions
  • Create and modify any or all Worksheets, Dashboards, Datasets, Monitors, Datastreams, and Ingest Tokens.
  • Manage Acceleration Jobs using Acceleration Manager
  • All Writer actions
  • Enable and disable users
  • Modify user roles and expiration periods

In Observe, you can assign assign users to these groups with Terraform, an open-source infrastructure as “code” development tool. To learn more about using Terraform, visit their Web site. For additional information on using Terraform with Observe, see Working with Observe and Terraform.

Once you install Terraform, configure the provider, Observe, with the following attributes.

Terraform attributes

Figure 1 - Terraform attributes supported by Observe

Add the domain, observeinc.com, and your Observe customer ID in the customer field. Your customer ID precedes the domain name of your instance, for example, 123456789012.observeinc.com. 123456789012 is your customer ID.

You also need the following Terraform for your Observe setup:

Note

Your user must have Administrator permissions in Observe to create or modify RBAC resources.

# provider.tf

provider "observe" {
  customer      = "123456789012"
  domain    = "observeinc.com"
  user_email    = "[email protected]"
  user_password = "secret"
}
# main.tf

terraform {
  required_providers {
    observe = {
      source  = "terraform.observeinc.com/observeinc/observe" 
      version = "~> 0.11"
    }
  }  
}

data "observe_workspace" "default" {
  name = "Default"
}

As a general rule, users can view the contents of any dataset. However, you can create a more specific rule that only allows a user to view a particular Dataset.

When you set permissions using RBAC, grant only the permissions required to perform a task. You do this by defining the actions taken on specific resources under specific conditions, also known as least-privilege permissions. You might start with broader permissions while you explore the permissions required for your workload or use case. As your use case matures, you can work to reduce the permissions that you grant to work toward least privilege.

Consider a permission flow similar to the following flow:

  • Determine all rules that might apply to this access request.

  • Determine the most specific scope within these rules.

  • Determine the most permissive permission granted within that scope.

RBAC Evaluation#

Observe evaluates RBAC rules for a request in a defined order. This means that RBAC statements will take precedence over others, based on the order in which they are matched. For each evaluation step below, the most permissive role will take effect. For example, if two statements both target the same subject with Viewer and Manager roles, the Manager role will apply.

First, if a user is a member of the Administrator group, either directly or via an intermediate group, the request will be allowed.

Next, the system will look for RBAC statements that match the requested object, from most to least specific. The request will be evaluated against the first matching statement using the statement’s role. All subsequent matching statements (broader scopes) will be ignored.

  1. Object ID

  2. Folder

  3. Workspace

  4. Type (and optionally name)

  5. Owner

  6. All Objects (User)

  7. All Objects (Groups)

  8. All Objects (All Users)

Lastly, requests will match the built-in defaults if no user-defined statement is matched. Currently, this provides Lister access to all objects.

Using Terraform to Look Up Users and Groups#

Look Up Users#

To look up a user by email address or user ID, configure the following Terraform:

data "observe_user" "john_doe" {
  email = "[email protected]"
}

data "observe_user" "user_id" {
  id = "1234"
}

Replace the placeholder information with your user data.

Look Up RBAC Groups#

To look up an RBAC Group, configure the following Terraform:

data "observe_rbac_group" "reader" {
  name = "reader"
}

Managing RBAC Groups and Memberships#

Manage your groups and memberships using the following Terraform:

Create an Engineering Group#

resource "observe_rbac_group" "engineering" {
  name = "Engineering"
}

Add a User to the Engineering Group#

 resource "observe_rbac_group_member" "johndoe_engineering" {
  group = observe_rbac_group.engineering.oid
  description = "add John to engineering group"
  member {
    user = data.observe_user.john_doe.oid
  }
}

Add an Engineering Group to the Writer Group#

resource "observe_rbac_group_member" "engineering_writers" {
  group = data.observe_rbac_group.writer.oid
  description = "add engineering group to writer group"
  member {
    group = observe_rbac_group.engineering.oid
  }
}

Managing RBAC Statements Using Terraform#

To control access, use the observe_rbac_statement statement. Statements consist of the following components:

  • subject - statement applies to the user or group. For example, the statement applies to these subjects, group, user, or all.

  • object - statement applies to one of the following:

    • id

    • workspace

    • type

    • all

You can optionally specify name or owner with type.

Note

Use id to target specific objects. Use workspace to target all objects within those scopes.

  • role - specify one of the following roles:

    • Manager - can manage the Observe roles.

    • Editor - can edit datasets and manipulate data.

    • Viewer - can view Datasets but cannot perform other actions.

    • Lister - can view the requested objects and details, including the configuration, about the object. Cannot query payload data from the requested object.

Restricting Access to Sensitive Data#

 # Create a sensitive readers group
resource "observe_rbac_group" "sensitive_readers" {
  name = "Sensitive Readers"
}

Look Up a Sensitive Dataset#

data "observe_dataset" "sensitive" {
  workspace = data.observe_workspace.default.oid
  name = "Sensitive Dataset"
}

Lock Down Access to a Sensitive Dataset#

resource "observe_rbac_statement" "lock_sensitive_dataset" {
  subject { all = true }
  object { id = data.observe_dataset.sensitive.id }
  role = "Lister"
}

Allowing Members of a sensitive readers Group to View a Dataset#

resource "observe_rbac_statement" "lock_dataset_readers" {
  subject { group = observe_rbac_group.sensitive_readers.oid }
  object { id = data.observe_dataset.sensitive.id }
  role = "Viewer"
}

Allowing Specific Users to View a Dataset#

resource "observe_rbac_statement" "john_sensitive_dataset" {
  subject { user = data.observe_user.john_doe.oid }
  object { id = data.observe_dataset.sensitive.id }
  role = "Viewer"
}

Binding Users to the sensitive_readers Group#

resource "observe_rbac_group_member" "john_sensitive" {
  group = data.observe_rbac_group.sensitive_readers.oid
  member { user = data.observe_user.john_doe.oid }
}