At Cerby, we have implemented roles to determine the tasks, functions, or activities each user can or cannot do on our platform.
These roles consist of sets of permissions that are part of a role-based access control (RBAC) system designed to maintain data security, streamline access management, enhance collaboration, comply with regulations, and ensure that sensitive information is protected.
The advantage of using role-based access management is that, after logging in to a Cerby workspace, users are automatically granted permissions depending on their role.
Cerby manages roles at a workspace and item level. Only administrators grant workspace-level roles, whereas any user can grant item-level roles when sharing their items.
This article contains the following sections to describe how Cerby manages roles and the benefits of using the RBAC system:
Workspace-level roles
Workspace-level roles determine the features of the Cerby platform available to the users, their access privileges, and their responsibilities. The actions users can perform within a workspace according to their role can be categorized as follows:
The following sections describe the actions for each category.
Workspace setup
Table 1 shows the specific actions users can perform to set up a workspace depending on their role.
Action | Guest user | User | Admin | Super Admin | Owner |
Perform the initial workspace setup from an invite. |
|
|
|
| Yes |
Set up single sign-on (SSO) and user provisioning with their identity provider (IdP). |
|
| Yes* | Yes* | Yes |
Access and edit the workspace configuration. |
|
| Yes | Yes | Yes |
* Read-only permissions
Table 1. Workspace setup actions
Workspace management
Table 2 shows the specific actions users can perform to manage a workspace depending on their role.
Action | Guest user | User | Admin | Super Admin | Owner |
View the following events within the workspace and for all users through the Activity view:
|
|
| Yes | Yes | Yes |
View the events for the items they are Owners through the Activity view. |
| Yes | Yes | Yes | Yes |
View the billable accounts through the Billing view. |
|
| Yes | Yes | Yes |
View all automation notifications through the Automation view. |
|
|
|
| Yes |
Table 2. Workspace management actions
User management
Table 3 shows the specific actions users can perform to manage other users depending on their role.
Action | Guest user | User | Admin | Super Admin | Owner |
Assign the Cerby product available to users through the Teams view. |
|
| Yes | Yes | Yes |
Assign or change the workspace role of other users. |
|
| Yes | Yes | Yes |
Access the All Members view. |
| Yes | Yes | Yes | Yes |
View all users from their organization through the All Members view. |
|
|
| Yes | Yes |
Export a report of users and their accounts through the All Members view. |
|
|
| Yes | Yes |
View and add Guest users. |
| Yes | Yes | Yes | Yes |
Create a self-managed team. |
| Yes | Yes | Yes | Yes |
Delete any team. |
|
|
|
| Yes |
Manage Team Members on all teams. |
|
|
| Yes | Yes |
Assign Team Admins for all teams. |
|
| Yes | Yes | Yes |
View all teams and Team Members within a workspace. |
|
| Yes | Yes | Yes |
View the teams to which they have been assigned and the Team Members. | Yes | Yes | Yes | Yes | Yes |
Add a partner and establish a connection with a guest workspace. |
| Yes | Yes | Yes | Yes |
Approve a partner request in the host workspace. |
|
| Yes | Yes | Yes |
Accept a partner request in the guest workspace. |
|
| Yes | Yes | Yes |
Perform the following user management actions in local user workspaces:
|
|
| Yes | Yes | Yes |
Invite guest users to join Cerby through the All Members view or the Password Manager Importer. |
| Yes | Yes | Yes | Yes |
Table 3. User management actions
Security hygiene tasks
Table 4 shows the specific security hygiene tasks users can perform depending on their role.
Action | Guest user | User | Admin | Super Admin | Owner |
Automate 2FA enrollment for all Cerby-managed accounts through the Policies view. |
|
| Yes | Yes | Yes |
Automate password rotation for all Cerby-managed accounts through the Policies view. |
|
| Yes | Yes | Yes |
Table 4. Security hygiene tasks
NOTE: Currently, these actions are only available to Cerby Automate users.
Item management
Table 5 shows the specific actions users can perform to manage items depending on their role.
Action | Guest user | User | Admin | Super Admin | Owner |
Access the Cerby dashboard. | Yes | Yes | Yes | Yes | Yes |
Transfer items to Cerby through the Password Manager Importer. |
| Yes | Yes | Yes | Yes |
Add an item to Cerby (account, secret, or collection). |
| Yes | Yes | Yes | Yes |
Share an item to which they are Owners and assign the item role to other users (read the Item-level roles section). |
| Yes | Yes | Yes | Yes |
Turn on All-Access Mode to view all accounts for recovery purposes. |
|
|
| Yes | Yes |
View all the items shared with all teams. |
|
|
| Yes | Yes |
Table 5. Item management actions
Item-level roles
Item-level roles determine the actions users can perform on items, and they can be categorized as follows according to the item type:
The following sections describe the actions for each item type.
Accounts
Table 6 shows the actions users can perform on accounts depending on their role.
Action | Collaborator | Owner |
Log in to the accounts. | Yes | Yes |
Manage shared access to accounts:
|
| Yes |
Manage the account security by turning on 2FA or rotating passwords automatically from Cerby. |
| Yes |
See the account notes and custom fields. | Yes | Yes |
See the account details. | Yes | Yes |
See the password of an account. |
| Yes |
Copy the password of an account. | Yes | Yes |
See the users and teams with shared access to an account. |
| Yes |
Delete accounts. |
| Yes |
Table 6. Actions on accounts
Secrets
Table 7 shows the actions users can perform on secrets depending on their role.
Action | Collaborator | Owner |
View the content of a secret. | Yes | Yes |
Edit the details of a secret (name, body, and attachments). |
| Yes |
View the users and teams with shared access to a secret. |
| Yes |
Table 7. Actions on secrets
Collections
Table 8 shows the actions users can perform on collections depending on their role.
Action | Collaborator | Owner |
View the accounts and secrets within a collection. | Yes | Yes |
View the collection details. |
| Yes |
Edit the collection details. |
| Yes |
View the users and teams with shared access to a collection. |
| Yes |
Table 8. Actions on collections
Benefits of RBAC
The following are the benefits of using the RBAC system in Cerby:
Enhanced security: Access to sensitive data and features is restricted. Only users with specific roles can perform critical actions, reducing the risk of unauthorized access and data breaches.
Access control: Fine-grained control over what users can and cannot do. Administrators can assign roles and permissions according to each user's job responsibilities.
Compliance and auditing: Organizations can implement access controls and audit trails, which are essential for demonstrating data security and compliance with industry and legal standards.
Streamlined onboarding and offboarding: New employees can be quickly assigned the appropriate roles and permissions while departing employees can have their access revoked just as easily.
Efficient collaboration: Users have the necessary access to work together effectively. RBAC allows organizations to balance the need for collaboration with the need for data security.
Resource management: RBAC assists in optimizing resource allocation. It ensures that resources are used efficiently and that access to costly or limited resources is restricted to only those who require them.
Transparency: RBAC offers transparency in access control, making it clear who has access to what resources and why. This transparency can foster trust and accountability within an organization.