Role-Based Access Control (RBAC)

AuroraSOC implements a comprehensive RBAC system with five roles and approximately 30 granular permissions. Every API endpoint, dashboard page, and agent action checks permissions before execution.

Role Hierarchy

Roles and Permissions

Admin

Full system control — manages users, configuration, and all security operations.

Permission	Description
*	All permissions (wildcard)

Analyst

Primary SOC operator — investigates alerts, manages cases, triggers playbooks.

Permission	Description
alerts:read	View alerts and alert details
alerts:write	Update alert status, add comments
alerts:investigate	Trigger AI investigation
cases:read	View cases
cases:write	Create and update cases
cases:close	Mark cases as resolved
agents:read	View agent fleet status
agents:dispatch	Manually dispatch agent tasks
playbooks:read	View playbooks
playbooks:execute	Execute playbooks
approvals:read	View pending approvals
approvals:decide	Approve or reject actions
iocs:read	View IOC database
iocs:write	Add/modify IOCs
siem:read	Query SIEM data
cps:read	View CPS device data
reports:read	View reports
reports:generate	Generate new reports

Operator

Operations team — manages infrastructure and device fleet without investigation authority.

Permission	Description
alerts:read	View alerts (read-only)
agents:read	View agent fleet status
cps:read	View CPS devices
cps:write	Register/update CPS devices
cps:attest	Trigger firmware attestation
sites:read	View site information
firmware:read	View firmware inventory
firmware:update	Push firmware updates

Viewer

Read-only access for executives, auditors, and stakeholders.

Permission	Description
alerts:read	View alerts
cases:read	View cases
agents:read	View agent status
reports:read	View reports
dashboard:read	View dashboard statistics

API Service

Programmatic access for integrations and automated workflows.

Permission	Description
alerts:read	Query alerts via API
alerts:write	Create/update alerts
cases:read	Query cases via API
iocs:read	Query IOC database
iocs:write	Submit new IOCs
siem:read	Query SIEM data
cps:read	Query CPS devices

Permission Enforcement

API Endpoints

Permissions are enforced using FastAPI dependency injection:

@app.get("/api/v1/alerts")
async def get_alerts(
    user: dict = Depends(require_permission("alerts:read"))
):
    """Only accessible with alerts:read permission."""
    return alerts

Role-Based Endpoint Guards

Some endpoints require a specific role (not just a permission):

@app.post("/api/v1/admin/users")
async def create_user(
    user: dict = Depends(require_role("admin"))
):
    """Only admin role can manage users."""
    ...

Dashboard UI

The React dashboard conditionally renders UI elements based on the authenticated user's role:

{user.role === 'admin' && (
    <AdminPanel />
)}
{hasPermission('playbooks:execute') && (
    <PlaybookExecuteButton />
)}

Permission Check Flow

Configuration

Default Users

AuroraSOC creates default accounts on first run (change passwords immediately):

Username	Role	Default Password
admin@aurora.local	admin	Set via AURORA_ADMIN_PASSWORD
analyst@aurora.local	analyst	Set via AURORA_ANALYST_PASSWORD
viewer@aurora.local	viewer	Set via AURORA_VIEWER_PASSWORD

Change Defaults

Always change default passwords before production deployment. Use HashiCorp Vault integration for credential management.

Custom Role Assignments

Roles are assigned per-user and stored in the database. Admins can modify role assignments via the API:

# Promote user to analyst
curl -X PUT /api/v1/admin/users/user123/role \
  -H "Authorization: Bearer $ADMIN_TOKEN" \
  -d '{"role": "analyst"}'

Audit Trail

All permission checks are logged:

• Successful access → INFO level log
• Denied access → WARNING level log with user, endpoint, and missing permission
• All entries include OpenTelemetry trace context for correlation