Back to Blog Landing

SaaS Privacy and Security: Role-based Access Control in the Cloud

Alona Katz August 6, 2020
With more than five years of multi-tenant SaaS operations, Aternity has implemented numerous cloud privacy and security features to protect our customers' data. Here's how we address role-based access control (RBAC) through data restriction.

As a product owner for the Aternity Digital Experience Management Platform, I hear a lot from customers around issues related to cloud privacy and security. After more than five years of multi-tenant SaaS operation, Aternity has addressed many of these, including role-based access control in the cloud. Here’s an overview of role-based access control, and how Aternity provides it through data restriction to our hundreds of SaaS customers with millions of endpoints under management.

The requirements for role-based access control in the cloud

Role-based access control (RBAC) limits access to data stored in the cloud based on the roles of particular users within a company. RBAC provides employees with access rights only to the information they need to do their jobs and prevents them from accessing information that doesn’t pertain to them.

From a digital experience management perspective, organizations are concerned or prohibited from having their employees’ device data accessible to all employees due to government or industry regulations. For instance, some U.S companies will not allow their own European employees to see performance and health data from employee devices located in the U.S. Regulations are different from one country to another and sometimes between states and organizations. Because of this, we’ve implemented a versatile RBAC solution in Aternity SaaS through data restriction.

Use cases for role-based access control

RBAC enables users to see only the data they are allowed to see. It also helps them to view only the data that is relevant to their jobs. For SaaS-delivered digital experience management platforms like Aternity, the challenge is to keep devices and user data secure while still enabling it to be organized by several attributes for flexibility. We address this challenge through data restriction.

A real world example for data restriction can be found in IT Service Desk scenarios. For cloud security, IT can implement geography-based data separation so that local IT Service Desk engineers can see employee device and user experience data only for local users. For efficiency, they need to be able to view and troubleshoot only the devices that are relevant to them. Once RBAC is implemented via data restriction, they can search and troubleshoot only the population of devices from their location, which adheres to security policies, makes their work easier, and shortens their response time.

In the banking industry, employees’ devices are frequently divided by country for security reasons. Some countries will allow only specially approved personnel to view the data on employee’ devices, even for troubleshooting user issues.

Further data restriction can be done within the Service Desk and employee base. For example, data can be restricted to make sure that low-level employees will not have access to sensitive data, like the CEO’s device and user information, unless they need it to do their job.

Aternity’s approach to cloud security

There are many ways to secure access to user and device data. Some applications separate data only by residency. Some encrypt all personal data. But these methods will not always answer every organization’s requirements.

Aternity provides different ways to secure your data:

  1. Data restriction by devices’ attribute (such as department or hostname prefix)
  2. Personally Identifiable Information (PII) encryption of personal data to the entire organization and which allows only users with the right permissions to see decrypted data.
  3. Network restriction restricting access the application for all users who do not belong to defined list of subnets.

Role-based access in the cloud through data restriction

Aternity enables role-based access control via data restriction by tagging certain users or a group of users and defining what data they can view. When adding or editing users or groups in Aternity, the Aternity administrator can choose what data restriction value to assign to each user or group of users. This way you can separate users’ data by country, region, or any other attributes to comply with data privacy regulations.

role-based access control in the cloud, RBAC, SaaS privacy, SaaS Security
The Aternity administrator can set up role-based access control for individual Aternity users as they are added.

 

As a user with the data restriction tag you will see only devices’ data you are allowed to see according to the data restriction filter.

When using Aternity’s search bar, restricted users see in the search results only the user or devices which they have permission to see.

When viewing Aternity’s dashboards, restricted users see only the users or devices they have permission to see.

Restricted users will have access only to:

  1. Dashboards related to a single device or user, such as User Experience, Troubleshoot Device, IT Service Desk and simple analyze.
  2. Enterprise Summary Dashboard.
  3. Shared Dashboards: view the shared dashboards, which will be automatically filtered and show the allowed data only. Advanced dashboards, when shared, are available for viewing only.

Restricted users will have no access to data via REST API.

Restricted users will have no access to administration tasks.

One common example is to set data restriction by location. For example, a user is allowed to view only devices’ from Los Angeles and Miami:

role-based access control in the cloud, RBAC, SaaS privacy, SaaS Security
Setting data restriction by geography limits the user’s access to devices only in those geographies.

Once RBAC is set, restricted users see a limited dashboard menu with only the dashboards that contain the Aternity data they are allowed to see.

role-based access control in the cloud, RBAC, SaaS privacy, SaaS Security
Once RBAC is set, restricted users see a limited dashboard menu with only the dashboards that contain the Aternity data they are allowed to see.

 

When restricted users click on a dashboard, the dashboard contains user experience and device data only from the geographies they are allowed to see.

When restricted users click on a dashboard, the dashboard contains user experience and device data only from the geographies they are allowed to see.

Stay tuned for more on Aternity SaaS cloud security and privacy capabilities

This is just the first in a series of blogs on Aternity’s cloud security and privacy capabilities. Contact us to hear more about Aternity role-based access control and security configuration options, or learn more by visiting our Trust Center.

Aternity Free TrialIf you’re not yet an Aternity customer, you can explore how we help you address the IT challenges of a remote workforce. You can get started today by registering for a free trial of Aternity running in your environment. You’ll see how your organization compares to the market with the benchmarking insights from millions of end points monitored in via Aternity SaaS. You’ll see how your Service Desk can drive down costs and improve service with AI-driven automated remediation. And you’ll get a view of employee experience for every app running in your environment – even SaaS and Shadow IT.

You may also like

Gartner Digital Experience Monitoring, Remote Work, Work from Home
What Gartner Says about Using Digital Experience Monitoring and Work-From-Home Employee Experience

Gartner recently published a report titled “Use DEM to Understand and Enhance Your Employees’ Work-From-Home Experience.” The  Gartner Digital Experience

Read More
ServiceProviderBlog
Benchmarking Employee Experience with the Aternity Digital Experience Management Quadrant

With the shift to remote work, companies are highly focused on improving employee experience to maintain business continuity and productivity.

Read More
NSA-reported vulnerability, security, Windows CryptoAPI
NSA-reported Vulnerability – Double Check your Windows Device Inventory

By now, you’ve probably heard of last week’s NSA-reported vulnerability affecting hundreds of millions of Microsoft Windows 10 devices. The

Read More