Skip to main content

RBAC (Role-Based Access Control)

Overview

Centralize Management System menerapkan permission-based RBAC dengan check terhadap PostgreSQL database.

Permission Model

Structure

resource:action

Permissions

PermissionDescription
logs:readRead log data
alerts:readRead alerts
alerts:writeCreate/update alerts
audit:readRead audit logs
audit:exportExport audit logs
dashboard:readRead dashboard data
analytics:readRead analytics
tenants:manageManage tenants
users:manageManage users
roles:manageManage roles
camel:readRead Camel routes

Roles

RolePermissions
executivedashboard:read, analytics:read
it-opslogs:read, dashboard:read, alerts:read
network-infralogs:read, dashboard:read
securityalerts:read, alerts:write, audit:read
complianceaudit:read, audit:export
helpdesklogs:read, alerts:read
adminFull access

Database Schema

Permission Check Query

SELECT COUNT(*) > 0
FROM user_tenant_roles utr
JOIN role_permissions rp ON utr.role_id = rp.role_id
JOIN permissions p ON rp.permission_id = p.id
JOIN users u ON utr.user_id = u.id
WHERE u.username = $1
AND utr.tenant_id = (SELECT id FROM tenants WHERE slug = $2)
AND p.resource = $3
AND p.action = $4;

Route Permission Mapping

RoutePermission
GET /api/v1/logs/*logs:read
POST /api/v1/logs/list/paginatelogs:read
GET /api/v1/alerts/*alerts:read
POST /api/v1/alerts/*alerts:write
GET /api/v1/log-audit/*audit:read
GET /api/v1/log-audit/export/*audit:export
GET /api/v1/dashboard/*dashboard:read
POST /api/tenantstenants:manage
POST /api/usersusers:manage
POST /api/rolesroles:manage

Management API

Tenants

# List tenants
GET /api/tenants

# Create tenant
POST /api/tenants
{
"name": "BJB Syariah",
"slug": "bjb-syariah"
}

Users

# List users
GET /api/users

# Create user
POST /api/users
{
"username": "newuser",
"email": "newuser@bjbsyariah.co.id",
"password": "Password123!",
"tenant": "bjb-syariah"
}

Roles

# List roles
GET /api/roles

# Create role
POST /api/roles
{
"name": "custom-role",
"description": "Custom role"
}

Permissions

# List permissions
GET /api/permissions

Multi-Tenant Isolation

OpenSearch Aliases

// Create tenant-specific alias
filter := map[string]any{
"term": map[string]any{
"tenant_id.keyword": body.Slug,
},
}
_ = s.search.CreateAlias(r.Context(), "clm-"+body.Slug, "clm-v2-logs-*", filter)

Query Filtering

// Filter by tenant in queries
tenantSlug := tenantSlugFromContext(r.Context())
result, err := s.search.SearchLogs(r.Context(), indices, req, "@timestamp", tenantSlug)

Next Steps