RBAC (Role-Based Access Control)
Overview
Centralize Management System menerapkan permission-based RBAC dengan check terhadap PostgreSQL database.
Permission Model
Structure
resource:action
Permissions
| Permission | Description |
|---|---|
logs:read | Read log data |
alerts:read | Read alerts |
alerts:write | Create/update alerts |
audit:read | Read audit logs |
audit:export | Export audit logs |
dashboard:read | Read dashboard data |
analytics:read | Read analytics |
tenants:manage | Manage tenants |
users:manage | Manage users |
roles:manage | Manage roles |
camel:read | Read Camel routes |
Roles
| Role | Permissions |
|---|---|
executive | dashboard:read, analytics:read |
it-ops | logs:read, dashboard:read, alerts:read |
network-infra | logs:read, dashboard:read |
security | alerts:read, alerts:write, audit:read |
compliance | audit:read, audit:export |
helpdesk | logs:read, alerts:read |
admin | Full access |
Database Schema
Permission Check Query
SELECT COUNT(*) > 0
FROM user_tenant_roles utr
JOIN role_permissions rp ON utr.role_id = rp.role_id
JOIN permissions p ON rp.permission_id = p.id
JOIN users u ON utr.user_id = u.id
WHERE u.username = $1
AND utr.tenant_id = (SELECT id FROM tenants WHERE slug = $2)
AND p.resource = $3
AND p.action = $4;
Route Permission Mapping
| Route | Permission |
|---|---|
GET /api/v1/logs/* | logs:read |
POST /api/v1/logs/list/paginate | logs:read |
GET /api/v1/alerts/* | alerts:read |
POST /api/v1/alerts/* | alerts:write |
GET /api/v1/log-audit/* | audit:read |
GET /api/v1/log-audit/export/* | audit:export |
GET /api/v1/dashboard/* | dashboard:read |
POST /api/tenants | tenants:manage |
POST /api/users | users:manage |
POST /api/roles | roles:manage |
Management API
Tenants
# List tenants
GET /api/tenants
# Create tenant
POST /api/tenants
{
"name": "BJB Syariah",
"slug": "bjb-syariah"
}
Users
# List users
GET /api/users
# Create user
POST /api/users
{
"username": "newuser",
"email": "newuser@bjbsyariah.co.id",
"password": "Password123!",
"tenant": "bjb-syariah"
}
Roles
# List roles
GET /api/roles
# Create role
POST /api/roles
{
"name": "custom-role",
"description": "Custom role"
}
Permissions
# List permissions
GET /api/permissions
Multi-Tenant Isolation
OpenSearch Aliases
// Create tenant-specific alias
filter := map[string]any{
"term": map[string]any{
"tenant_id.keyword": body.Slug,
},
}
_ = s.search.CreateAlias(r.Context(), "clm-"+body.Slug, "clm-v2-logs-*", filter)
Query Filtering
// Filter by tenant in queries
tenantSlug := tenantSlugFromContext(r.Context())
result, err := s.search.SearchLogs(r.Context(), indices, req, "@timestamp", tenantSlug)
Next Steps
- Keycloak - Authentication
- Audit Trail - Audit logging
- ISO Compliance - Compliance features