- 5 minutes to read

What is a Role?

Unlock the power of secure, role-based access control in Nodinite. This page explains what a Role is and how it provides flexible authorization for both Windows authentication and OIDC/OAuth 2.0 modes.

✅ Centralized, role-based access control for all Nodinite features
✅ Support for both Windows and cloud-based authentication
✅ Full audit trail for sensitive operations
✅ Flexible assignment of permission sets for Log Views, Monitor Views, and Repository Model

On this page you will learn how to enable Role-Based Access Control (RBAC) and what a Role is in Nodinite.

Get started now: Add or Manage Role user guide.

A Nodinite Administrator creates user-defined Roles in Nodinite. These Roles enforce different security policies for end-users. All user actions with potentially sensitive operations are Log Audited.

Authorization Models

Nodinite v7 supports two authorization models depending on your authentication mode:

Windows Authentication Mode

Roles are assigned to:

OIDC/OAuth 2.0 Mode

Roles are assigned to:

Users gain access when their Claims from the identity provider match the Policy requirements.

graph TD subgraph "fal:fa-user-crown Administrators (built-in)" ro1(fal:fa-hard-drive Log Views) ro2(fal:fa-display Monitor Views) ro3(fal:fa-sitemap Repository) ro0(fal:fa-gears Administration) end subgraph "fal:fa-user-tie Economy" ro4(fal:fa-hard-drive Log Views) ro6(fal:fa-sitemap Repository) end subgraph "fal:fa-user Service Owner" ro7(fal:fa-sitemap Repository) end

Above is an example of different Roles, each with unique access rights.

Role Characteristics

All Roles in Nodinite, regardless of authentication mode:

  • Members of the Administrators role are Nodinite Administrators

    The built-in role named Administrators cannot be renamed or deleted. Review the Access Management user guide for additional details.

  • You must be a member of the Administrators role to manage Roles
  • End-users with appropriate rights can create and manage any number of Roles
  • The Administrator assigns a permission set for the following Nodinite entities:

    Even the Nodinite Administrator must have the proper permission sets assigned to interact with these entities!

Windows Authentication Mode

When using Windows authentication:

  • Windows Active Directory Users can be members of a Role
  • Windows Active Directory Groups can be members of a Role
  • Direct assignment of Users and Groups to Roles

Role with Users and Groups
Example of a Role with Windows Users and AD Groups assigned.

OIDC/OAuth 2.0 Mode

When using OIDC/OAuth 2.0 authentication:

  • Policies (groups of Claims) are assigned to Roles
  • Users authenticate through their identity provider (Azure AD, Okta, etc.)
  • User Claims are matched against Policy requirements
  • Access is granted when user Claims match the Policies assigned to the Role

Role with Policies
Example of a Role with Policies assigned in OIDC/OAuth 2.0 mode.

As defined by your access policy, you can allow members of, for example, the Economy role to have access only to selected Log Views. For each of these Log Views, you can apply different permission sets.

About permission sets

Permission sets enforce security policies for end-users and are applied at the user-defined Nodinite Roles level.
For each Role, a Nodinite Administrator assigns different permission sets to the following Nodinite entities:

A permission set can be applied globally or set uniquely on each entity. The following options exist:

  • Inherited – Default (not enabled)

    Note

    Not allowed is NOT the same as Deny! It means the inheritance chain is honored.

  • Allow – Access is granted.
  • Deny – The feature is blocked from usage. Use this setting only for special cases.

Important

Regardless of other permission sets, a Deny always wins. Since entities are assigned to Roles, you should rarely need to use Deny. Instead, consider removing the entity from the Role.

graph TD subgraph "fal:fa-lock Permission set" ro1(fal:fa-door-open Global setting) ro2(fal:fa-gear Permission) ro1 --> |Inherit, Allow or Deny| ro2 end

Visual overview: How permission sets are inherited and applied in Nodinite.

Access right

For end-users to interact with the Repository Model, Monitor Views, and/or the Log Views, the Access permission must be set to Allow.
The highest level of a permission set is the Access right. The available values for this setting are:

  • Allow – Members of the Role can access the entity
  • Deny – Members of the Role cannot access the entity
graph TD subgraph "fal:fa-users-class Role" ro1(fal:fa-door-open Access) ro2(fal:fa-hard-drive Log Views) ro3(fal:fa-display Monitor Views) ro4(fal:fa-sitemap Repository) ro1 --> |Allow or Deny| ro2 ro1 --> |Allow or Deny| ro3 ro1 --> |Allow or Deny| ro4 ro2 -.- ro21[fal:fa-lock Permission Set] ro3 -.- ro22[fal:fa-lock Permission Set] ro4 -.- ro23[fal:fa-lock Permission Set] end

Visual overview: How access rights and permission sets relate to Roles in Nodinite.

Examples

Windows Authentication Mode Example

Windows User AD Group Role Log Views Monitor Views Repository
Agni
Waseem		 - Economy Find Order by Order Id Get alerts, troubleshoot if the daily exchange-rate failed to appear before 08:15 Read rights on monitored resources
- SE_IT_Operations IT-Operations Can use and manage all Log Views Get alerts from all detected problems and can perform Remote Actions to swiftly resolve problems Maintains the Knowledge base Articles and modifies the custom metadata fields
Joe - Production Denied A single Monitor View with the right to restart the printer service on Windows Server "SEDC01" Can read the knowledge base article with the restart instructions
John SE_DevTeam
NO_DevTeam		 Developers Denied Denied Writes the Knowledge base Articles and contributes with the documentation for new systems integrations solutions

OIDC/OAuth 2.0 Mode Example

Policy Claims in Policy Role Log Views Monitor Views Repository
Finance User Policy department=finance
access_level=editor		 Finance Editor Finance-specific Log Views Finance Monitor Views Read rights on finance resources
IT Operations Policy department=it
access_level=admin
environment=production		 IT Operations All Log Views All Monitor Views with Remote Actions Full access to Knowledge Base
Developer Policy team=development
environment=test		 Developers Development Log Views Test/Dev Monitor Views Write access to documentation

Next Step

Add or manage Role
Add or manage Log View
Add or manage Monitor View
Repository Model

Permission Sets:

Log View permission set
Monitor View permission set
Repository Model permission set

Windows Authentication Mode:

Users - Individual Windows accounts
Windows AD Groups - Active Directory groups

OIDC/OAuth 2.0 Mode:

Claims - Key/value authorization attributes
Policies - Groups of Claims

General:

Access Management - Authorization overview
Log Views
Monitor Views
Install Nodinite v7 - Authentication - Authentication modes