Roles example
To better understand the concept of roles, users, and priorities here is an example scenario.
Below is a table of users and their group assignments. Some users aren't members of any groups, some are members of a single group, and others are members of multiple groups. In this example, these users are coming from a SAML domain that was configured. When SAML domain members connect to Redtrust, Redtrust makes those users and any potential group memberships passed in the SAML assertion available for assignment to roles.
Users only require a role for accessing the admin console, end users are able to login to the agents and use certificates defined in policies without needing to have a role assignment.
| User | Group membership |
|---|---|
| User A | None |
| User B | Group-1 |
| User C | Group-1 |
| User D | Group-1 & Group-2 |
| User E | Group-2 |
In this example, Redtrust has been configured with the following Roles.
-
Administrator
-
Event viewer
-
Certificate manager
-
Development manager
Now that there are users available and roles have been created you can look at assigning those users to the roles and with some example priorities. This scenario has purposefully been made complex to illustrate the interactions between a Users/Groups Role assignment and priority level. In real world usage, role assignments are straightforward in many applications. Consider the below scenario:
| Role | Priority | User/Group assignment |
|---|---|---|
| Administrator | 1 | User A, User B |
| Event Viewer | 0 | Group-1 |
| Certificate manager | 1 | Group-2 |
| Development manager | 1 | Group-2 |
Explanation of what roles were assigned from the above scenario and why.
| User | Assigned role | Why? |
|---|---|---|
| User A | Administrator | User A had no other assignments. They were assigned directly to the administrator role, which is their valid role assignment. |
| User B | Administrator | While User B was a member of Group-1, since they were directly assigned to the administrator role, which is their valid role assignment. Note, that this is true even though the event viewer role had a higher priority (0 is the highest potential priority assignment). |
| User C | Event Viewer | Since User C was a member of Group-1 and had no other potential assignments their role is event viewer. |
| User D | Event Viewer | Since User D was a member of both Group-1 and Group-2, but the Event Viewer role has a higher priority User D was assigned to Event Viewer. To assign User D to the certificate manager role, change the priority of the Event Viewer role to 2 or higher. |
| User E | N/A | Since the certificate manager role and development manager role have the same priorities this role assignment won't be applied consistently. To assign User E to the development manager role assign the role directly to the user instead of the group. |