Role based Access Control

Role-based Access Control

Introduction

RBAC in Lightbeam is designed to help organizations manage who has access to what, based on clearly defined roles. Instead of assigning permissions to individual users, Lightbeam groups access rights into roles, which are then assigned to users depending on their responsibilities.

This approach simplifies access management, reduces security risks, and ensures users only have access to the data and actions relevant to their job.

How RBAC Works in Lightbeam

• Users are assigned to a Role such as Data Steward, Datasource Owner, Datasource Viewer, Platform Admin, Platform Viewer, Platform Owner and User.

• Each Role has a predefined set of permissions that control what actions the user can perform.

Getting Started

Step 1: Accessing the LightBeam Platform

Open your preferred web browser and log in to the LightBeam dashboard using your admin credentials.

Once you log in, you will see this page, known as the Dashboard.

Step 2: Navigating to the Settings

• On the Dashboard screen, look to the top right corner of the page, next to the "Admin" label.

• Click on the Settings (⚙️) icon, shaped like a gear (encircled in red).

Step 3: Access LightBeam User Management

• After clicking the Settings icon, you will be redirected to the Settings page.

• From the sidebar menu, select User Management (indicated by an arrow).

Adding a New User

To add a new user in Lightbeam, follow these steps:

1. Go to User Management Navigate to the User and Role Management section from the Settings menu.

2. Click “Add New User” On the top-right of the Users tab, click the blue + Add New User button.

3. Fill in User Details In the form that appears:

   • Enter the First Name and Last Name

   • Provide a valid Email Address

   • Select the appropriate Role from the dropdown

   • (Optional) Click on View Role Definition to understand what each role includes

4. Save the User Scroll down and click the blue Save button at the bottom of the form.

5. Confirm Action A confirmation popup will appear. Click Add User to complete the process.

Editing or Deleting a User

To manage an existing user in Lightbeam, follow the steps below:

1. Open User Profile

• Go to the User and Role Management section.

• Click on the user’s name from the list to open their profile.

2. Delete a User

• Click the red Delete User button at the top right.

• A warning popup will appear asking you to confirm the action.

• Type the word delete in the input box and confirm to proceed.

• The user will be permanently removed from the system.

3. Edit a User

• Click the blue Edit User button.

• Update fields such as First Name, Last Name, or Role as needed.

• After making the changes, click the Save button at the bottom of the form.

This process ensures that user details stay current and only valid accounts retain access to the platform.

Note: Whenever a user’s role or access permissions are edited, the system will automatically log them out. They will need to log in again for the changes to take effect.

User Roles

Lightbeam provides 7 predefined user roles, each with a specific scope and set of permissions. These roles cannot be modified or newly created at this time.

Role Scopes

All roles are assigned one of the following three scopes:

• Global – Full access to all parts of the platform. Users with global roles can view and manage everything across: Data Sources, Privacy Ops, Governance, Insights, and Playbooks

• Datasource – Access is limited to the data sources assigned to the user. These users can also work on alerts linked to their assigned data sources.

• Alert – Alert-focused roles, with varying levels of access:

  • User role: standard access to view and respond to assigned alerts

  • Data Steward role: full access to manage alerts with advanced remediation capabilities

Role Restrictions and Customization Rules

Lightbeam offers a range of predefined roles, each with a designated scope and specific access capabilities. Some roles come with fixed access, while others allow customization by users with the Platform Admin role.

Understanding Access Types

Modules or capability in Lightbeam can be assigned one of the following permission levels:

• Full Access – The role can view and take all necessary actions in the module.

• View Only Access – The role can see the data but cannot perform any actions.

• Limited Access – The role can view and interact at a basic level but cannot perform advanced actions (e.g., modifying policies or triggering sensitive functions).

• No Access – The role cannot view or interact with the module at all.

Understanding Custom Access Modules

• Object Viewer – Grants the ability to view sensitive information tied to objects in a data source. Settings available are as follows:

  • Full Access- Roles can view objects in a datasource and take necessary action

  • No Access- Roles cannot view sensitive object

  • View Only- Roles can only view the sensitive objects but cannot take any actions

• PrivacyOps – PrivacyOps – Determines visibility and control of the PrivacyOps ticketing system.

  • Full Access allows users to view, manage, and resolve tickets

  • No Access removes the PrivacyOps tab entirely

Note: Currently, there is no “Limited Access” for PrivacyOps. If granted access, the user will see all tickets.

• Alerts – Alerts function both as a scope and a permission, meaning access to alert-related actions can be determined in two ways:

  • Alerts as a scope

    • Roles with this scope (e.g., User, Data Steward) can only access the Alerts section of the platform.

    • They cannot access modules outside this scope.

  • Alert as Permission:

    • Controls the depth of alert interaction.

    • Can be customized depending on the role (if allowed).

  • Permission levels within Alerts:

    • Full Access – Can view and take advanced actions on alerts and sub-alerts. Also grants access to the Policies section from which alerts are triggered.

    • Limited Access – Can view alerts but cannot perform advanced actions (e.g., delete from source, archive, revoke access).

    • View Only Access – Can view alerts but cannot take any action.

    • No Access – Cannot view or interact with alerts at all.

Role Breakdown and Access Customization

1. Data Steward (Alert Scope)

This is a fixed role and cannot be customized.

• Has full access to all assigned alerts.

• Can manage, respond, and remediate alerts with advanced capabilities.

• Ideal for users responsible for alert triage and resolution.

• Can take advanced actions like delete from source, archive, and revoke access.

2. Datasource Owner (Datasource Scope)

Platform Admins can customize the permissions for this role. It’s designed for users who manage specific data sources.

They can adjust access to:

• Object Viewer – Set to Full Access or No Access

• Alerts – Set to Full Access or Limited Access

• PrivacyOps – Set to Full Access or No Access

• Can onboard new data sources

• Can edit data source configurations

• Can act on alerts related to assigned sources

To modify, click the Edit Role button, make the changes, and save using the blue Save button at the bottom.

3. Datasource Viewer (Datasource Scope)

This role is also customizable and is suitable for users who only need visibility into data sources.

They can be given:

• Object Viewer – Set to View Only Access or No Access

• Alerts – Fixed to View Only Access

• Platform Admins can assign specific data sources to this role.

• Users will only see the assigned data sources and the My Alerts section, filtered to alerts from those sources.

• They cannot onboard or configure data sources.

• Cannot perform actions on alerts—visibility only.

To update access, click Edit Role, configure the permissions, and click Save.

4. Platform Admin (Global Scope)

This role comes with complete access to all modules and system settings.

• Can manage users, roles, system configurations, and data access.

• Has access to Dashboard, Data Sources, PrivacyOps, Governance, Insights, and Playbooks.

• Can customize access for all other roles except the User and Data Steward, which are fixed.

• Custom access for Platform Admin itself is not restricted, but typically remains full.

5. Platform Owner (Global Scope)

Platform Admins can customize permissions for this role based on responsibilities across system modules.

They can adjust access to:

• Object Viewer – Full Access or No Access

• Alerts – Full Access or Limited Access

• PrivacyOps – Full Access or No Access

• Role Updation- No Access ( A platform owner cannot update the roles of any users in the system)

This allows operational flexibility without granting full administrative control. To edit, click Edit Role, make changes, and click Save.

6. Platform Viewer (Global Scope)

This is a read-only role with customizable visibility into specific modules. It’s meant for users who need oversight without making changes.

They can be assigned:

• Object Viewer – View Only Access or No Access

• PrivacyOps – Full Access or No Access

Use Edit Role to configure visibility levels and click Save once done.

7. User (Alert Scope)

This role is fixed and cannot be customized.

• Has limited access to view and respond to alerts assigned to them.

• Cannot manage alerts or modify alert settings.

• Suitable for basic alert monitoring tasks.

• Can view and respond to alerts but cannot perform advanced actions.

Note: Custom access configurations can only be made by users with the Platform Admin role.