Skip to main content

Illumio Core 22.2 Administration Guide

Access Configuration for PCE

Get an overview of role-based access control, review some typical use cases, review the prerequisites and limitations, and learn how to configure the PCE to control access.

Overview of Role-Based Access Control (RBAC)

Security-oriented companies should grant employees the permissions they need based on their role. Illumio Core uses role-based access control to deliver security at an enterprise scale in the following ways:

  • Assign your users the least required privilege they need to perform their jobs.

    Limit access for your users to the smallest operation-set they need to perform their jobs, for example, monitor for security events.

  • Implement separation of duties.

    Delegate the responsibility to manage a zone to a specific team or delegate authority to application teams; for example, delegate a team to manage security for the US-West Dev zone, or assign the DevOps team to set security policy for the HRM application they manage.

  • Grant access to users based on two dimensions: roles and scopes.

    Each role grants access to a set of capabilities in Illumio Core. Scopes define the workloads in your organization that users can access, and are based on labels. A common set of label types include Application, Environment, and Location, but you may define additional label types and values using Flexible Labels. The scopes specify the boundaries of the sphere of influence granted to a user.

    For example, a user can be added to the Ruleset Provisioner role with the scope Application CRM, Environment Staging, and Location US. With that access, the user could provision rulesets for workloads that are part of your CRM application in the Staging environment located in the US.

  • Centrally manage user authentication and authorization for Illumio Core.

    Configure single sign-on with your corporate Identity Provider (IdP) and designate which external IdP groups should have access roles. Group membership is managed by your IdP while resource authorization is configured in Illumio Core.

RBAC Use Cases

Illumio designed the RBAC feature around a set of use cases based on the way that enterprises manage the security of the computing assets in their environment. These use cases encompass common security workflows for the security-conscious enterprise. The personas include different levels of security professionals.

Support the Security Workflow

Customers can configure the RBAC feature to support any type of responsibility bifurcation that they have in their workflow models. For example, the following workflows are supported:

  • Architect-level professionals define all security policy for an enterprise by adding rulesets and rules in the PCE.

  • Junior-level professionals provision rulesets and rules to workloads during maintenance windows. Junior personnel cannot edit any policy items in the Illumio PCE.

  • Some users only view the infrastructure and alert senior team members when security issues occur.

Manage Security for Specific Workloads

When you combine Illumio Core RBAC roles with scopes, you can secure access for IT teams who support specific applications or different geographic locations. For example, customers could delegate authority for workloads in the following ways:

  • To manage security for workloads around silos; for example, a particular cloud provider like AWS.

  • To decentralize their security policy to specific application teams allowing them to act quickly when managing application security without waiting for the central security team.

  • To bifurcate the security of their infrastructure in such a way that one user is responsible only for the West coast assets and another user is responsible for the East coast assets.

RBAC Prerequisites and Limitations

  • You must be a member of the Global Organization Owner role to manage users, roles, and scopes in the PCE.

  • Configuring SSO for an Illumio supported IdP is required for using RBAC with external users and groups.

    If you have not configured SSO, you can still add external users and external groups to the PCE; however, these users will not be able to log into the PCE because they will not be able to reach the IdP or SAML server to authenticate.

  • Illumio resources that are not labeled are not access restricted and are accessible by all users.

  • External users who are designated by username and not an email address in your IdP will not receive an automatic invitation to access the PCE. You must send them the PCE URL so they can log in.

  • You cannot change the primary designation for users and groups in the PCE; specifically, the email address for a local user, the username or email address for an external user, or the contents of the External Group field for an external group. To change these values, you must delete the users or groups and re-add them to the PCE.

  • An App Owner who is in charge of the application in both production and development environments does not have permissions to write extra-scope rules between production and development.

Note

Local users are not locked out of their accounts when they fail to log in. After 5 consecutive failures, the PCE emails the user that their account might be compromised.

Locked users retain all their granted access to scopes in the PCE; however, they cannot log into the PCE.