# Roles Based Access Control (RBAC)
Every organization and team would typically have a very well defined role for each of its employees. Some people in the team may play multiple roles. For example, a typical company may have roles such as administrators, managers, executives, marketers, sales, engineers, and support.
Modern companies assemble and dismantle small short-lived agile teams to work on specific projects to meet customer/market's needs quickly. Resources such as servers, databases are assigned to those short-lived teams when created and recovered from them when the teams are dismantled.
An employee may be part of multiple teams and projects and may have to play a different role in each team or project. An engineer, for example, may play the following different roles in different projects:
- developer
- tester
- admin
- project lead
- customer support
# Roles and Logins
BastionXP supports Role Based Access Control(RBAC). The Roles and Logins feature in BastionXP PKI/CA can be used to define roles according to the roles in your team. It is simple, yet very flexible in defining user roles and logins.
Using the Roles feature, you can define new roles. For each role, you can define the logins needed to access servers or compute resources that belong to your team.
For example: People with their role defined as admins would usually login to a server using the login name admin or root or ec2-admin or gcp-admin or simply using their email ID. So all admins role players would have their logins defined as: [admin, root, ec2-admin, gcp-admin]
In the BastionXP web portal's Roles section, you can add a new role (Eg: admins) and the corresponding server login names for the role (Eg: admin, root, ec2-admin, gcp-admin) as logins and save the role. A new role will be defined now.
You need to add login names one by one to the role being defined.
Next, you need to apply the role to users who perform that role in your team or organization. For example, user James ([email protected]) needs to be assigned the role admins. So you need to go to the "Team" section, add a new user named James with email ID [email protected]. If the user James already exists in your "Team" table, you then simply edit the user James, use the dropdown box to select and add the role admins to him and save it.
Now when James executes the bsh login --proxy bastionxp.example.com command to generate short-lived SSH client certificates, the BastionXP gateway would retrieve his assigned roles, finds the corresponding logins or login names and uses the logins to create a new SSH client certificate. For example, an SSH client certificate generated for James will have the following principals: [james, admin, root, ec2-admin, gcp-admin] in it.
The generated SSH client certificate can be used to login to any server or VM in your organization that trusts BastionXP PKI/CA and has a login user named james, admin, root, ec2-admin or gcp-admin. James cannot login to the server as any other login user using the SSH client certificate.
$ ssh-keygen -L -f ssh_user-cert.pub
ssh_user-cert.pub:
Type: [email protected] user certificate
Public key: RSA-CERT SHA256:7RwjelOCPQ9wuWzC8Qdus1F6lU0oLB6adE2xlJE7/D4
Signing CA: RSA SHA256:qTBhxUpEk0ldS0uTJJJYNOKygEsfLM1d+u1wcVjCBqI (using rsa-sha2-512)
Key ID: "[email protected]"
Serial: 0
Valid: from 2023-03-08T17:26:07 to 2023-03-09T01:26:07
Principals:
james
admin
root
ec2-admin
gcp-admin
Critical Options: (none)
Extensions:
permit-X11-forwarding
permit-agent-forwarding
permit-port-forwarding
permit-pty
permit-user-rc