Authorizations in ADOC

Overview of RBAC and RBAM

What is Role-Based Access Control (RBAC)?

RBAC is a method of managing user permissions based on roles assigned within an organization. Each role has a predefined set of permissions that apply across the system.

What is Resource-Based Access Management (RBAM)?

RBAM builds on RBAC by introducing domains and resource groups, allowing enterprises to restrict access to specific assets, such as data sources, reports, policies, and dashboards.

RBAM allows administrators to:

  • Define logical zones (domains) that hold certain resources.
  • Assign users (via groups) to these domains.
  • Control not only what users may do but also which resources they can use.

RBAM: Extending RBAC Capabilities

RBAM is designed to complement RBAC by providing an additional layer of resource-specific control, The table highlights how RBAM enhances standard RBAC capabilities.

FeatureRBAC (Baseline)RBAM (Additional Layer)
Access ScopeSystem-wideResource-specific within domains
Resource VisibilityUsers see all system resources permitted by their rolesUsers only see resources explicitly assigned to domains
Granular ControlControls user actions in the system levelExtends control to resource visibility and domain-specific permissions
AdministrationCentralizedDelegated administration via domains and resource groups.
ComplianceProvides basic control suitable for general complianceStronger data segregation for regulations (GDPR, HIPAA, NIST)

Why Do Enterprises Need RBAM?

  • Enhanced Security – Restrict access to only necessary resources.
  • Granular Control – Assign permissions at domain/resource group level.
  • Regulatory Compliance – Supports strict data access regulations.
  • Improved Scalability – Manages access efficiently across multiple teams.

While RBAC assigns users to roles granting permissions that determine their access to application-wide features, RBAM roles provide a more granular control by granting permissions to access features on specific resources. Together, they ensure that users have appropriate access at both the application and resource levels, enhancing security and operational efficiency.

Understanding RBAC in ADOC

RBAC Roles, Permissions, and Hierarchy

RBAC ensures controlled access to ADOC features by assigning users to specific roles. Roles determine the level of access granted across the system.

RBAC Components in ADOC

  • Tenant Roles: Define access across the entire application.

    • System-Defined Roles: Predefined roles (e.g., Admin, Owner, Viewer).
    • User-Defined Roles: Custom roles created based on business needs.

Tenant Admin : Full platform access that bypasses RBAM domain scoping. Treat with the same caution as root in Linux; reserve for break‑glass scenarios.

RBAC Role-Permission Mapping

RoleAPI KeysUser ManagementData ObservabilityCompute
OwnerCreate, Modify, ViewFull accessFull accessFull access
AdminCreate, Modify, ViewFull accessLimited accessFull access
EditorLimited accessModify, ViewModify, View
ViewerView onlyView only

How to Configure RBAC Roles in ADOC

  1. Navigate to Settings → User Management → Tenant Roles.
  2. Select an existing role or click Create New Role.
  3. Define role permissions for various features (e.g., API Keys, Compute, Data Observability).
  4. Assign users or user groups to the role.
  5. Save and apply changes to ensure permissions take effect.

For more information, see User Management, Resource Groups and Domain Management.

Common Misconfigurations & Fixes

MisconfigurationIssueSolution
Assigning a role without necessary permissionsUser cannot access certain featuresReview required permissions and update role configuration
Overlapping permissions across multiple rolesUsers may have conflicting permissionsUse the Access Visualizer to visualize how RBAC and RBAM roles intersect.
Assigning RBAM domain roles without corresponding RBAC permissionsRBAM permissions do not workEnsure users have appropriate RBAC tenant roles before assigning RBAM roles

Introduction to RBAM in ADOC

Core RBAM Components

Domain:

A domain is a logical or virtual zone defined by the resources it contains. Domains typically align with functional areas within an enterprise, such as Sales, Marketing, or Operations. Domains are like "mini-tenants" where you can group specific assets and reports together.

Domains should be considered as a bridge between the functional area documented in the business requirements and the technical definition of the Resource Groups. For example, the domain may align to common data products or domains made available across an organization such as Customer or Product. It could also align to a business unit's data that is not to be shared across the organization such as Audit or Finance.

Each domain contains:

  • Resource Groups: Bundles of assets and reports specific to the domain.
  • Users and Groups: Individuals or teams who require access to the domain's resources.
  • Domain Administrators: Users with administrative rights within the domain.

Resource Groups

Resource Groups are collections or resources that can be assigned to a domain. They are of two types:

  • Asset Groups : Collection of assets like tables and data sources.
  • Report Groups : Collection of reports relevant to the domain.

Resource Groups serve as the basic building component for RBAM, acting as the link between the domain and the assets under management.

Keeping these clear and consistent is critical to creating a workable implementation. Unless otherwise required, consider connecting a Resource Group to a Data Source. This will provide a clear and logical connection between domains and the resources they guard.

However, there will be situations in which finer or coarser groupings are required or preferred. For example, if a data product is established to incorporate assets from multiple data sources, it may be simpler to define the Resource Group to include them.

Consider these broad rules of thumb:

  • Define resource groups with the coarsest grain feasible up to a data source.
  • Limit an asset to a single resource group wherever possible.
  • Record any departures from the design concepts.
  • Use the Access Visualizer to understand the outcomes of your design.

A domain without resource groups is effectively empty. Only after you add resource groups to a domain do the associated resources become visible to the users in that domain.

Tenant Roles vs. Domain Roles

  • Tenant Roles: System-wide roles that are not domain-specific (e.g., managing global features such as compute or user administration).
  • Domain Roles: Context-specific roles that apply within the boundaries of a single domain. Domain roles can only be assigned to user groups and must be associated with a particular domain.

A set of system-defined Domain Roles are provided. Review these in depth and only create new ones if absolutely necessary. Remember, these act in conjunction with the Tenant Roles which define platform level permissions. Domain Roles grant permissions to perform typical tasks on the assets, reports or domains assigned to a user.

User Groups

While user groups in the platform can be assigned both tenant roles and domain roles, consider creating separate groups for the assignment of RBAM permissions. Since the assignment of a domain to a User Group includes one set of domain roles, if a domain needs multiple permission levels create additional user groups and assign each the appropriate combination of Domain Roles.

A combinatorial expansion of User Groups might be required if RBAC and RBAM permissions are combined, hence the recommendation to keep them separate.

Previously, policy actions (view, create, modify, execute) were managed via tenant RBAC roles. From v4.2 onward, these permissions are managed using domain-level roles, providing better granularity.

Policy Permission Changes in v4.2

ActionOld PermissionsNew Permissions
View Policyview:assetview:policy + view:asset
Modify Policyview:assetmodify:policy + view:asset
Create Policyview:assetcreate:policy + view:asset
Execute Policyview:assetexecute:policy + view:asset

Note: Assets remain the anchor resource. All policy actions require view:asset.

Implementation Principles

When starting to design an RBAM implementation, it is useful to start with some guiding principles. These are intended to be starting points that promote consistency and simplicity.

The principles mentioned here should not be considered rigid rules. Deviation from the guidelines should be considered as long as they are justified and documented.

Business Requirements

Understanding and establishing the business requirement is an important starting point for any RBAM implementation plan. This would normally start with a high-level definition of the business area, the user population, and the data scope.

Example: The business area might be Supplier Information Management, the user population might span Vendor Management and individuals involved in procurement in other departments, and the scope of the data assets might be the databases and reports under management of that department. Once defined, a review of the access needed for sets of assets in that scope should be made with particular attention to assets that may need to be accessible or inaccessible to groups within the user population.

Least Privilege Model

The Least Privilege model is intended to deliver only the privileges to a user required to complete the users task. While this extends to both RBAC as well as RBAM, with respect to RBAM this means assigning users only the domains absolutely necessary with the appropriate Domain Roles.

This may lead to more complexity in designing Resource Groups, Domains and Domain roles but this should be balanced with the other Implementation Principles.

Minimize Number of RBAM Objects

RBAM introduces a number of new concepts such as Resource Groups, Domain Management, Access Visualizer and Domain Roles. The recommendation is to start with the minimum number of these objects to satisfy the business requirement.

While the urge may be to define Resource Groups very granularly from the start, this may lead to too much management overhead and complexity when defining the relationships between these objects. Instead, start with the coarsest grain possible to meet the requirements. Finer grained grouping can be added later to refine the model.

Example: If all users will have access (any access) to all or none of the objects in a data source, then align a Resource Group to a data source. If partial access is needed, then additional analysis is needed to decide how to align the Resource Group most efficiently. Unless required, try to keep an asset (data source, table, report, etc.) in a single Resource Group.

RBAM Workflow in ADOC

The following steps outline a common approach to implementing RBAM. However, depending on your organization’s structure or needs, the order may vary.

For example, some teams prefer to begin with defining Resource Groups before creating Domains, as this helps establish a clear understanding of what needs to be grouped and controlled.

  1. Create Domains – Define logical groupings of resources.
  2. Create Resource Groups – Associate assets with domains.
  3. Assign Users & Roles – Define user permissions within domains.
  4. Test & Audit – Verify proper access control implementation. Also see, Access Visualizer

Implementing RBAM: Step-by-Step Guide

Step 1 : Plan RBAM Implementation

  1. Define business units that require access control.
  2. Identify domains and resource groups based on organizational structure.
  3. Avoid role explosion by keeping roles structured and limited.

Step 2: Creating Domains

  1. Navigate to Settings → Domain Management → Domains.
  2. Click Create Domain, define name, description, and resource groups.
  3. Assign user groups with appropriate domain roles.

Step 3: Assigning Resource Groups

Best Practices:

  • Align group with data source
  • Avoid overlapping groups
  • Use naming conventions

Example:

  • Finance Domain > Finance ARG + Finance RRG
  • Marketing Domain > Marketing Reports Only

Step 4: Assigning Users & Permissions

Domain RolePermissions
Resource Viewerview:asset, view:policy
Resource Editormodify:asset, modify:policy
Resource Ownercreate:asset, create:policy
Domain ManagerAll domain permissions

All users must have required tenant roles for RBAM roles to take effect.

Step 5: Testing & Auditing

  • Use test accounts to verify access
  • Review access logs and use the Access Visualizer to visually inspect how users, groups, and roles are linked across domains and resources.
  • Periodically audit roles for cleanup

Best Practices for RBAC & RBAM (Across Industries)

IndustryBest Practices
Finance
  • Ensure SOX compliance (auditable roles)
  • Separate roles for data entry vs. approval
Healthcare
  • HIPAA-compliant data access
  • Emergency access with audit tracking
Government
  • Follow NIST 800-53 control families
  • Clear boundary between confidential and public domains
Tech / Cloud
  • Zero Trust model
  • Attribute-based + RBAM hybrid enforcement

Compliance & Security Considerations

Compliance StandardRBAM Contribution
GDPRData minimization via domain scoping
HIPAAPatient data isolation via domains
PCI-DSSRole-based visibility of payment resources
SOXTraceability in audit logs
NIST 800-53Granular access controls by domain

Frequently Asked Questions (FAQs)

Q1. Can a user belong to multiple domains?

Yes. Each domain assignment is independent.

Q2. What happens if a user has both RBAC and RBAM roles?

RBAM domain roles only work if the corresponding RBAC permissions (e.g., view:asset) are assigned.

Q3. Can one asset belong to multiple resource groups?

Technically yes, but this is discouraged due to management complexity.

Q4. What’s the RBAM migration strategy?

Tenant roles are preserved. Resources are moved into default domains, and access is reconfigured gradually.

Q5. Can RBAM policies be automated?

Partially. You can automate user and group provisioning via SCIM, and RBAM configurations like domains, resource groups, and role mappings can be managed via APIs. As of ADOC v4.2, policy-related permissions are now part of domain roles, enabling better granularity — but direct automation of policy-level access is limited and depends on domain-resource alignment.

Q6. What changed in ADOC v4.2?

Policies now respect domain roles for permissions instead of tenant roles. See New in ADOC 4.2 - RBAM for policies for more detail.

Q7. How can I quickly debug why a user can’t access a resource? Use the Access Visualizer to trace user-to-role mappings and domain-level permissions. It helps identify missing roles, misconfigurations, or visibility issues.

Additional Resources

Access Management Implementation Strategies

RBAM Access Management Implementation Strategies

Executive Summary

This white paper presents a practical guide for implementing Resource-Based Access Management (RBAM) using ADOC. It is grounded in real-world enterprise scenarios and draws on both strategic and tactical learnings. Whether you're responsible for data governance, IT architecture, or compliance, this guide will help you plan and implement a scalable, secure, and maintainable access management model across your organization.

The Challenge of Modern Access Control

In many organizations, departments and business units operate semi-independently while still needing to work within a shared analytics or observability platform. Managing access to sensitive data across these units without overprovisioning or creating bottlenecks is a persistent challenge.

Traditional RBAC models fall short when:

  • Access needs to vary across business lines
  • Reports or assets belong to multiple stakeholders
  • Compliance demands fine-grained visibility

RBAM addresses these problems by introducing domains and resource groups as core access units.

Scenario-Based Implementation: The Banking Enterprise Example

Let’s walk through an implementation scenario for a large financial institution with multiple business units:

  • Consumer & Commercial Banking (CCB)
  • Wealth Management (WM)
  • Investment Banking (IB)
  • Corporate Functions (Corp)

Each unit has different access needs to various data domains such as Clients, Accounts, Marketing, Investment, and Finance.

Access Requirement Matrix

Assume that the enterprise has defined the following data areas with these restrictions:

DomainCCBWMIBCorp
ClientsFull AccessFull AccessNo AccessFull Access
AccountsPartial Access (CCB assets only)Full Access (View-only for CCB assets)No AccessFull Access
MarketingFull AccessFull AccessNo AccessFull Access
Investment BankingNo AccessNo AccessFull AccessFull Access
Finance & AuditPartial Access (View-only for related CCB assets)Partial Access (View-only for related WM assets)Partial Access (View-only for related IB assets)Full Access

Data Sources Mapping

Further assume that the data areas map to the following data sources configured in ADOC

AreaData Source(s)Description
ClientsEnterprise_Clients_SourceSingle data source holding all client data across CCB and WM
Accounts

CCB_Account_Source

WM_Account_Source

Two separate data sources for CCB and WM accounts information
MarketingEnterprise_Marketing_SourceA single data source
Investment BankingIB_SourceA single data source dedicated for IB data.
Finance & AuditFinance_SourceSingle source with BU-specific data segregated by views

Step 1: Define Resource Groups

Resource Groups are logical collections of assets or reports. Below is how we structured them:

Note Asset Resource Groups are abbreviated with the suffixes ARG and Report Resource Groups are abbreviated with the suffixes RRG.

Resource GroupAssets IncludedAccessible By
Clients_ARGClient data fromEnterprise_Clients_SourceCCB, WM and Corp have access to all assets in the data source while IB has no access
Clients_RRGAll reports related to Enterprise_Clients_SourceCCB, WM and Corp have access to all reports related to the data source while IB has no access
Accounts_CCB_ARGAll assets in CCB_Account_SourceCCB, WM and Corp should have access to CCB account assets
Accounts_CCB_RRGAll reports related to CCB_Account_SourceCCB, WM and Corp should have access to reports related to CCB account assets
Accounts_WM_ARGAll assets in WM_Account_SourceWM and Corp should have access to WM account assets
Accounts_WM_RRGAll reports related to WM_Account_SourceWM and Corp should have access to reports related to WM account assets
Marketing_ARGAll assets in Enterprise_Marketing_SourceCCB, WM and Corp have access to all assets in the data source while IB has no access
Marketing_RRGAll reports related to Enterprise_Marketing_SourceCCB, WM and Corp have access to reports related to all assets in the data source while IB has no access
IB_ARGAll assets in IB_SourceIB and Corp should have access to IB assets
IB_RRGAll reports related to IB_SourceIB and Corp should have access to reports related to IB assets
FIN_ARGAll assets in Finance_SourceFinance should have access to all assets in Finance (this may include assets that are in FIN_CCB_ARG and FIN_WM_ARG)
FIN_RRGAll reports related to Finance_SourceFinance should have access to reports related to all assets in Finance
FIN_CCB_ARGCCB Views in Finance_SourceCCB should only have access to CCB Finance data
FIN_CCB_RRGReports related to CCB Views in Finance_SourceCCB should only have access to reports related to CCB Finance data
FIN_WM_ARGWM Views in Finance_SourceWM should only have access to WM Finance data
FIN_WM_RRGReports related to WM Views in Finance_SourceWM should only have access to reports related to WM Finance data

Step 2: Map Resource Groups to Domains

Each domain is a boundary for visibility and access.

Note Domain is abbreviated to DM

DomainIncludes Resource Groups
Clients_DMClients_ARG, Clients_RRG
Accounts_CCB_DMAccounts_CCB_ARG, Accounts_CCB_RRG
Accounts_WM_DMAccounts_WM_ARG, Accounts_WM_RRG
Marketing_DMMarketing_ARG,````Marketing_RRG``
IB_DMIB_ARG, IB_RRG
FIN_DMFIN_ARG, FIN_RRG
FIN_CCB_DMFIN_CCB_ARG, FIN_CCB_RRG
FIN_WM_DMFIN_WM_ARG, FIN_WM_RRG

As a starting point, keep Domain to Resource Group mapping as simple as possible until a more complex requirement appears.

Step 3: Define User Groups

User Groups are linked to specific domains via domain roles:

User GroupDomainDomain Role
Clients_View_UGClients_DMresource_viewer
Clients_Edit_UGClients_DMresource_editor
Clients_Own_UGClients_DMresource_owner
Clients_Man_UGClients_DMdomain_manager
Accounts_CCB_View_UGAccounts_CCB_DMresource_viewer
Accounts_CCB_Edit_UGAccounts_CCB_DMresource_editor
Accounts_CCB_Own_UGAccounts_CCB_DMresource_owner
Accounts_CCB_Man_UGAccounts_CCB_DMdomain_manager
Accounts_WM_View_UGAccounts_WM_DMresource_viewer
Accounts_WM_Edit_UGAccounts_WM_DMresource_editor
Accounts_WM_Own_UGAccounts_WM_DMresource_owner
Accounts_WM_Man_UGAccounts_WM_DMdomain_manager
Marketing_View_UGMarketing_DMresource_viewer
Marketing_Edit_UGMarketing_DMresource_editor
Marketing_Own_UGMarketing_DMresource_owner
Marketing_Man_UGMarketing_DMdomain_manager
IB_View_UGIB_DMresource_viewer
IB_Edit_UGIB_DMresource_editor
IB_Own_UGIB_DMresource_owner
IB_Man_UGIB_DMdomain_manager
FIN_View_UGFIN_DMresource_viewer
FIN_Edit_UGFIN_DMresource_editor
FIN_Own_UGFIN_DMresource_owner
FIN_Man_UGFIN_DMdomain_manager
FIN_CCB_View_UGFIN_CCB_DMresource_viewer
FIN_CCB_Edit_UGFIN_CCB_DMresource_editor
FIN_CCB_Own_UGFIN_CCB_DMresource_owner
FIN_CCB_Man_UGFIN_CCB_DMdomain_manager
FIN_WM_View_UGFIN_WM_DMresource_viewer
FIN_WM_Edit_UGFIN_WM_DMresource_editor
FIN_WM_Own_UGFIN_WM_DMresource_owner
FIN_WM_Man_UGFIN_WM_DMdomain_manager

Step 4: Assign Users

These are example user-to-group mappings:

UserAssigned GroupsNotes
John (CCB)Clients_View_UG, Accounts_CCB_View_UG, FIN_CCB_View_UGRead-only access
Priya (CCB)Clients_Edit_UG, Accounts_CCB_Edit_UG, FIN_CCB_View_UGEdit rights on some domains
Sara (WM)Clients_Edit_UG, Accounts_WM_Edit_UG, Marketing_Edit_UG, FIN_WM_View_UGBroad WM access. Users can modify on WM assets as well as on marketing.
Smith (Corp)Corp_All_Edit_UGEdit across all functional domains

Key Takeaways

  • Start Coarse, Refine Later : Keep resource groups broad initially to avoid management overhead.
  • Use Clear Naming : E.g., FIN_CCB_ARG, Marketing_Edit_UG help maintain traceability.
  • Separate RBAC & RBAM Groups : Maintain distinct user groups for RBAC and RBAM to reduce complexity and limit the number of combinations needed — since their permissions are designed to be independent.
  • Access Visualizer is Your Friend : Leverage the Access Visualizer to debug, validate, and communicate access configurations across users, domains, and roles. See, Access Visualizer
  • Balance Flexibility with Governance : Avoid excessive decentralization unless domain ownership is clearly defined and delegated. Keep governance in mind while scaling.

Final Words

Implementing RBAM the right way takes time and planning—but the payoff is tremendous. You will get cleaner audits, tighter controls, and a foundation ready for scale.

If you are unsure where to start, begin with the domains you already manage informally. Organize those into resource groups and domain roles. Iterate from there.

Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard