Internal tools rbac system

Legacy RBAC Admin Tool: A Bottleneck for Productivity and Security

Our legacy role-based access control (RBAC) admin tool served as a significant roadblock to both productivity and security. Limited in its ability to adapt to evolving organizational structures, feature sets, and responsibilities, it lacked transparency regarding permission distribution, usage, logging, and new user onboarding processes.

Maintaining user permissions became an endless task for a single point of contact, often resorting to ambiguous interpretations of roles and overly generous access grants due to the system's rigidity. This tool also created substantial security challenges, with comprehensive security audits taking between two and five business days for completion – and even then, with questionable accuracy.

Reimagining Access Control: A Multifaceted Approach

Recognizing the need for a robust and intuitive solution, I undertook a revitalization of our RBAC system. Through collaboration with our security team, we established a set of guiding principles for the new system:

• Principle of Least Privilege: Granting access solely to tools necessary for individual job duties, ensuring minimal exposure.

• Flexibility and Scalability: Accommodating the dynamic nature of organizational structures, roles, tools, and permissions without extensive engineering support.

• Data Clarity: Empowering security and data protection teams with immediate visibility into employee tool access.

• Usability: Designing a user interface both intuitive for users and readily configurable by software engineers.

• Expiring Access: Enabling temporary access to tools outside of core responsibilities for the duration of specific tasks or projects.

From Vision to Reality: A Collaborative Effort

Despite our designer's reassignment, I actively drove the project forward including designing the access workflow, developing wireframesin Figma, refining requirements, and collaborating with engineers to rebuild the underlying permissions service, the new RBAC tool, and ultimately, migrate our 200 users to the updated system.

Furthermore, I conducted interviews with representatives across every department to understand departmental workflows, tool usage patterns, and tailor user group configurations. This detailed approach ensured minimal disruption during user migration, testing, and support phases.

Impact and Outcomes: A Streamlined and Secure Landscape

The new tool introduced significant improvements:

• Simplified Onboarding and Offboarding: User management became straightforward, facilitated solely by job title information.

• Delegated Responsibilities to IT: Troubleshooting streamlined through a concise Confluence guide created by myself.

• Empowered Identity Team: Ownership of user access management transitioned smoothly to the identity team after a brief handover session.

• Granular Permissions and Enhanced Security: Implementing role-specific access and restricting high-risk features to designated personnel.

• Automated Temporary Access: Facilitating time-bound permission grants for specific needs, balancing operational efficiency with security principles.

• Real-Time Auditing: Integrating the new permission service with our data pipeline enabled real-time user access audits via Looker or simple CSV exports, eliminating the need for direct tool access. This reduction in complexity shortened audit times from days to mere hours, allowing the data protection team to increase audit frequency from annual to quarterly.

In conclusion, the development and implementation of the new RBAC tool transformed user access management from a cumbersome process to a streamlined and secure operation. As a result, we witnessed enhanced security posture, responsibilities delegated to the appropriate departments, and empowered personnel across the organization.