Role Based Access Control
Introduction
Role Based Access Control (RBAC) in LightBeam is designed to help organizations manage who has access to what, based on clearly defined roles. Instead of assigning permissions to individual users, LightBeam groups access rights into roles, which are then assigned to users depending on their responsibilities.
This approach simplifies access management, reduces security risks, and ensures users only have access to the data and actions relevant to their job.
How RBAC Works in LightBeam
Users are assigned to a Role such as Data Steward, Datasource Owner, Datasource Viewer, Platform Admin, Platform Viewer, Platform Owner and User.
Each Role has a predefined set of permissions that control what actions the user can perform.
Getting Started
Step 1: Accessing the LightBeam Platform
Open your preferred web browser and log in to the platform using your admin credentials. Once you log in, you will see this page, known as the Dashboard.
Step 2: Navigating to the Settings
On the Dashboard screen, look to the top right corner of the page, next to the "Admin" label.
Click on the Settings (βοΈ) icon, shaped like a gear (encircled in red).
Step 3: Access LightBeam User Management
After clicking the Settings icon, you will be redirected to the Settings page.
From the sidebar menu, select User Management (indicated by an arrow).
Adding a New User
To add a new user in Lightbeam, follow these steps:
Go to User Management Navigate to the User and Role Management section from the Settings menu.
Click βAdd New Userβ On the top-right of the Users tab, click the blue + Add New User button.
Click on Add New User in Blue
Fill in User Details in the form that appears:
Enter the First Name and Last Name
Provide a valid Email Address
Select the appropriate Role from the dropdown
(Optional) Click on View Role Definition to understand what each role includes
Fill out the form with required details
Save the User Scroll down and click the blue Save button at the bottom of the form.
Click on Save button
Confirm Action A confirmation popup will appear. Click Add User to complete the process.
Click on Add User
Editing or Deleting a User
To manage an existing user in LightBeam, follow the steps below:
Open User Profile
Go to the User and Role Management section.
Click on the userβs name from the list to open their profile.
Click on the user's name
Delete a User
Click the red Delete User button at the top right.
Click on the Delete User button
A warning popup will appear asking you to confirm the action.
Type the word delete in the input box and confirm to proceed.
Type the word delete and click on yes.
The user will be permanently removed from the system.
Edit a User
Click the blue Edit User button.
Click on the Edit User Button
Update fields such as First Name, Last Name, or Role as needed.
Make changes in the user detail form
After making the changes, click the Save button at the bottom of the form.
Click on Save to finalise all the changes
This process ensures that user details stay current and only valid accounts retain access to the platform.
Note: Whenever a userβs role or access permissions are edited, the system will automatically log them out. They will need to log in again for the changes to take effect.
Filters and Customisation
To further manage the list of users, multiple filtering options are available to help refine the view:
Role: Filters users by role.
Scope: Filters users by scope of role.
Added By: Applies filters based on who added the user.
All Filters: Displays a consolidated view of all applied filters, with an option to clear them using Clear all.
User Management
User Roles
Predefined Roles
LightBeam offers seven predefined roles, each with a designated scope and specific access capabilities. Some roles come with fixed access, while others allow customization by users with the Platform Admin role.
Custom Roles
You can also create a custom role and specify the level of access for each module for that role.
Viewing User Roles and Scopes
To view user roles and their scopes, navigate to the User Management section and click on the Roles toggle at the top. This view displays all predefined roles along with their associated scopes and access permissions.
Role Names and Scopes
Role Scopes
All roles are assigned one of the following four scopes:
Global - Full access to all parts of the platform. Users with global roles can view and manage everything across: Data Sources, Privacy Ops, Governance, Insights, and Playbooks
Datasource - Access is limited to the data sources assigned to the user. These users can also work on alerts linked to their assigned data sources.
Alert - Alert-focused roles, with varying levels of access:
User role: standard access to view and respond to assigned alerts
Data Steward role: full access to manage alerts with advanced remediation capabilities
Custom - Defined by the platform admin with custom access for each module
Pre-defined Role Names
Role Name
Scope
Purpose
Platform Owner
Global
Comprehensive operational control over the platform with the ability to manage data sources, users, and settings. Cannot modify roles or add administrators. Optional access to PrivacyOps, alerts, and sensitive data viewing.
Platform Admin
Global
Complete administrative control over the entire platform, including user management, role assignments, and all configuration capabilities.
Platform Viewer
Global
Read-only access to monitor platform activity, view reports, and observe system configurations without the ability to make changes or take actions.
Datasource Owner
Datasource
Full control over assigned data sources including configuration, scanning settings, and related alerts. Optional access to sensitive data viewing and advanced alert management.
Datasource Viewer
Datasource
Operational access to assigned data sources with limited access to other.
Data Steward
Alert
Full access to manage assigned alerts with advanced remediation capabilities including file deletion, archiving, and relocation.
User
Alert
Standard access to view and respond to assigned alerts with basic remediation actions, excluding data deletion and archiving.
Role Restrictions and Customisation Rules
LightBeam offers a range of predefined roles, each with a designated scope and specific access capabilities. Some roles come with fixed access, while others allow customisation by users with the Platform Admin role.
Understanding Access Types
Click on roles toggle to see user roles
Different access types (such as Full Access, View Only, Limited, or No Access) are configured within each role. To view or modify these, go to the Roles tab under User Management and select a role to see its specific access settings.
Different Access Types
Modules or capability in LightBeam can be assigned one of the following permission levels:
Full Access β The role can view and take all necessary actions in the module.
View Only Access β The role can see the data but cannot perform any actions.
Limited Access β The role can view and interact at a basic level but cannot perform advanced actions (e.g., modifying policies or triggering sensitive functions).
No Access β The role cannot view or interact with the module at all.
Understanding Custom Access Modules
Custom access modules
Object Viewer β Grants the ability to view sensitive information tied to objects in a data source. Settings available are as follows:
Full Access - Roles can view objects in a datasource and take necessary action
No Access - Roles cannot view sensitive object
View Only - Roles can only view the sensitive objects but cannot take any actions
PrivacyOps β Determines visibility and control of the PrivacyOps ticketing system.
Full Access allows users to view, manage, and resolve tickets
No Access removes the PrivacyOps tab entirely
Note: Currently, there is no βLimited Accessβ for PrivacyOps. If granted access, the user will see all tickets.
Alerts β Alerts function both as a scope and a permission, meaning access to alert-related actions can be determined in two ways:
Alerts as a scope
Roles with this scope (e.g., User, Data Steward) can only access the Alerts section of the platform.
They cannot access modules outside this scope.
Alert as Permission:
Controls the depth of alert interaction.
Can be customised depending on the role (if allowed).
Permission levels within Alerts:
Full Access β Can view and take advanced actions on alerts and sub-alerts. Also grants access to the Policies section from which alerts are triggered.
Limited Access β Can view alerts but cannot perform advanced actions (e.g., delete from source, archive, revoke access).
View Only Access β Can view alerts but cannot take any action.
No Access β Cannot view or interact with alerts at all.
Role Breakdown and Access Customisation
Click on the name of the role to see details
To view the details of a specific role, go to the Roles tab under User Management and click on the name of the role you want to explore. This will open a detailed view of its scope, access permissions, and customisation options.
Data Steward (Alert Scope)
Data Steward role details
This is a fixed role and cannot be customised.
Has full access to all assigned alerts.
Can manage, respond, and remediate alerts with advanced capabilities.
Ideal for users responsible for alert triage and resolution.
Can take advanced actions like delete from source, archive, and revoke access.
Datasource Owner (Datasource Scope)
Datasources Owner role details
Platform Admins can customise the permissions for this role. Itβs designed for users who manage specific data sources.
They can adjust access to:
Object Viewer β Set to Full Access or No Access
Alerts β Set to Full Access or Limited Access
PrivacyOps β Set to Full Access or No Access
Can onboard new data sources
Can edit data source configurations
Can act on alerts related to assigned sources
To modify, click the Edit Role button, make the changes, and save using the blue Save button at the bottom.
Datasource Viewer (Datasource Scope)
Datasources Viewer role details
This role is also customisable and is suitable for users who only need visibility into data sources.
They can be given:
Object Viewer β Set to View Only Access or No Access
Alerts β Fixed to View Only Access
Platform Admins can assign specific data sources to this role.
Users will only see the assigned data sources and the My Alerts section, filtered to alerts from those sources.
They cannot onboard or configure data sources.
Cannot perform actions on alertsβvisibility only.
To update access, click Edit Role, configure the permissions, and click Save.
Platform Admin (Global Scope)
Platform Admin role details
This role comes with complete access to all modules and system settings.
Can manage users, roles, system configurations, and data access.
Has access to Dashboard, Data Sources, PrivacyOps, Governance, Insights, and Playbooks.
Can customise access for all other roles except the User and Data Steward, which are fixed.
Custom access for Platform Admin itself is not restricted, but typically remains full.
Platform Owner (Global Scope)
Platform Owner role details
Platform Admins can customise permissions for this role based on responsibilities across system modules.
They can adjust access to:
Object Viewer β Full Access or No Access
Alerts β Full Access or Limited Access
PrivacyOps β Full Access or No Access
Role Updation β No Access ( A platform owner cannot update the roles of any users in the system)
This allows operational flexibility without granting full administrative control. To edit, click Edit Role, make changes, and click Save.
Platform Viewer (Global Scope)
Platform Viewer role details
This is a read-only role with customisable visibility into specific modules. Itβs meant for users who need oversight without making changes.
They can be assigned:
Object Viewer β View Only Access or No Access
PrivacyOps β Full Access or No Access
Use Edit Role to configure visibility levels and click Save once done.
User (Alert Scope)
User role details
This role is fixed and cannot be customised.
Has limited access to view and respond to alerts assigned to them.
Cannot manage alerts or modify alert settings.
Suitable for basic alert monitoring tasks.
Can view and respond to alerts but cannot perform advanced actions.
Note: Custom access configurations can only be made by users with the Platform Admin role.
Custom Roles
Creating a Custom Role
LightBeam allows Platform Admins to create custom roles that support business-unitβspecific workflows or PrivacyOps requirements. To create a custom role, follow the steps below:
Navigate to User Management
From the Settings menu, click User Management.
Select the Roles toggle at the top to switch from the Users view to the Roles view.
Creating a Custom Role
On the top-right corner of the Roles page, click the + Create Custom Role button.
Enter Role Details
The following image shows the General section for entering role details.
Enter a Role Name that clearly reflects the purpose of the role (e.g., βPIA Supervisor β Financeβ).
(Optional) Add a Description to help future admins understand the purpose of the role.
Configure Access Permissions
The following images show the permissions configurations available.
For the Objects module, either Full Access or No Access can be given to Object Viewer. With Full Access a user with this role will be able to view objects and perform actions such as downloading a redacted copy. With No Access, a user with this role will not be able to view objects.
Within Policies and Alerts, access levels include Full Access, View Only Access and No Access for Policies and Rule sets and for Alerts. View Only Access means that user will not be able to create or edit policies or take any actions on alerts but will be able to view them.
Further controls are present for each action that can be taken on alerted objects or sub-alerts.
For the Insights module, access levels include Full Access, View Only Access and No Access for Attributes, Labels and Templates.
In the Privacy Ops Modules, for PIA and RoPA access levels are as follows for different features:
Processes
All in BU β Access to all processes within the business unit.
Only assigned β Access only to processes assigned or created by the user.
No access β No visibility into processes.
Reports
All in BU β View and download reports for all processes in the business unit.
Only assigned β View reports only for processes assigned to the user.
No access β No access to reports.
Reviews
Only assigned β Access only to risk reviews tied to the userβs assigned processes.
No access β No access to reviews.
Tickets
Only assigned β Access only to tickets created by or assigned to the user.
No access β No access to tickets.
Templates
Full access β View and manage all templates, including system templates.
Limited access β Access only to templates created or assigned to the user.
No access β No visibility into templates.
For Other Privacy Ops Modules, either Full Access or No Access can be granted for DSR, Consent Management and Cookie Consent
Save the Role
Once access levels are chosen for each module:
Click the Save button at the bottom of the screen
The new custom role will appear alongside predefined and existing custom roles.
Platform Admins can edit or assign the role to users at any time.
Purpose and Utility
Role Based Access Control (RBAC) enables organisations to manage user access efficiently and securely. By assigning permissions to roles rather than individuals, RBAC ensures that users can only access the data and perform the actions relevant to their responsibilities.
Key benefits include:
Simplified access management for administrators
Reduced risk of unauthorized access
Clear accountability and auditability of user actions
Flexibility to create custom roles tailored to organisational needs
Last updated