App Owner RBAC Role
The App Owner RBAC (Role-Based Access Control) role hides information in the PCE that is not relevant to the user with that role. At the same time, the app owners can write effective rules to secure their apps and restrict visibility within the PCE to the permitted scopes for users.
RBAC previously restricted only the write permission for users while the read permission was unrestricted, and every user had visibility into PCE. The App Owner RBAC role also restricts the read permission to correspond to the user roles. It accelerates enterprise-wide expansion so that the customers who acquired Illumio for a single application can expand faster.
The introduction of the App Owner role solves these problems because it does the following:
Accelerates micro-segmentation deployment by allowing for scaling after an organization implements micro-segmentation with smaller applications.
Assures compliance with good security practices so that users cannot view the sensitive information they are not allowed to see.
Eliminates the complexity of building a custom portal. The App Owners can use Illumio REST APIs instead of the custom UIs created by customers.
App Owners are responsible for managing vulnerabilities in their applications for which the PCE owners can assign scoped roles.
App Owner Roles
Roles of Ruleset Managers, Ruleset Provisioners, and Workload Managers are assigned to users and user groups. They can be expanded to provide users with additional read/write permissions. All permissions are additive.
Ruleset Manager with Scoped Reads
This RBAC role requires written permission from the owner to change the policy. Users with this role can see only the content related to their location in the PCE instead of having full read-only access to all the PCE content.
The role now also supports scoped reads.
Ruleset Provisioner with Scoped Reads
This RBAC role can provision policy changes to workloads. Users with this role can see only the content related to their location in the PCE instead of having full read-only access to all the PCE content.
The role now also supports scoped reads.
Ruleset Viewer
This RBAC role has access to the PCE to manage one or multiple applications. Users with this role can get a view of their application and its dependencies, but they cannot see information about other applications.
Workload Manager with Scoped Reads
This RBAC role provides a control for managing workloads. Users with this role can see only the content related to their scope in the PCE instead of having full read-only access to all the PCE content.
The role now also supports scoped reads.