Skip to main content

Role-Based Access Control (RBAC)

AuroraSOC implements a comprehensive RBAC system with five roles and approximately 30 granular permissions. Every API endpoint, dashboard page, and agent action checks permissions before execution.

Role Hierarchy

Roles and Permissions

Admin

Full system control — manages users, configuration, and all security operations.

PermissionDescription
*All permissions (wildcard)

Analyst

Primary SOC operator — investigates alerts, manages cases, triggers playbooks.

PermissionDescription
alerts:readView alerts and alert details
alerts:writeUpdate alert status, add comments
alerts:investigateTrigger AI investigation
cases:readView cases
cases:writeCreate and update cases
cases:closeMark cases as resolved
agents:readView agent fleet status
agents:dispatchManually dispatch agent tasks
playbooks:readView playbooks
playbooks:executeExecute playbooks
approvals:readView pending approvals
approvals:decideApprove or reject actions
iocs:readView IOC database
iocs:writeAdd/modify IOCs
siem:readQuery SIEM data
cps:readView CPS device data
reports:readView reports
reports:generateGenerate new reports

Operator

Operations team — manages infrastructure and device fleet without investigation authority.

PermissionDescription
alerts:readView alerts (read-only)
agents:readView agent fleet status
cps:readView CPS devices
cps:writeRegister/update CPS devices
cps:attestTrigger firmware attestation
sites:readView site information
firmware:readView firmware inventory
firmware:updatePush firmware updates

Viewer

Read-only access for executives, auditors, and stakeholders.

PermissionDescription
alerts:readView alerts
cases:readView cases
agents:readView agent status
reports:readView reports
dashboard:readView dashboard statistics

API Service

Programmatic access for integrations and automated workflows.

PermissionDescription
alerts:readQuery alerts via API
alerts:writeCreate/update alerts
cases:readQuery cases via API
iocs:readQuery IOC database
iocs:writeSubmit new IOCs
siem:readQuery SIEM data
cps:readQuery CPS devices

Permission Enforcement

API Endpoints

Permissions are enforced using FastAPI dependency injection:

@app.get("/api/v1/alerts")
async def get_alerts(
    user: dict = Depends(require_permission("alerts:read"))
):
    """Only accessible with alerts:read permission."""
    return alerts

Role-Based Endpoint Guards

Some endpoints require a specific role (not just a permission):

@app.post("/api/v1/admin/users")
async def create_user(
    user: dict = Depends(require_role("admin"))
):
    """Only admin role can manage users."""
    ...

Dashboard UI

The React dashboard conditionally renders UI elements based on the authenticated user's role:

{user.role === 'admin' && (
    <AdminPanel />
)}
{hasPermission('playbooks:execute') && (
    <PlaybookExecuteButton />
)}

Permission Check Flow

Configuration

Default Users

AuroraSOC creates default accounts on first run (change passwords immediately):

UsernameRoleDefault Password
admin@aurora.localadminSet via AURORA_ADMIN_PASSWORD
analyst@aurora.localanalystSet via AURORA_ANALYST_PASSWORD
viewer@aurora.localviewerSet via AURORA_VIEWER_PASSWORD
Change Defaults

Always change default passwords before production deployment. Use HashiCorp Vault integration for credential management.

Custom Role Assignments

Roles are assigned per-user and stored in the database. Admins can modify role assignments via the API:

# Promote user to analyst
curl -X PUT /api/v1/admin/users/user123/role \
  -H "Authorization: Bearer $ADMIN_TOKEN" \
  -d '{"role": "analyst"}'

Audit Trail

All permission checks are logged:

  • Successful access → INFO level log
  • Denied access → WARNING level log with user, endpoint, and missing permission
  • All entries include OpenTelemetry trace context for correlation