Security Architecture in ReactorCX¶

ReactorCX implements a sophisticated, enterprise-grade security model designed to provide granular access control across the platform. If you're coming from other enterprise systems, you'll find the dual-layer approach both familiar and flexible for managing complex organizational hierarchies and access requirements.

Dual Access Control Model¶

ReactorCX employs a hybrid security framework combining two complementary access control methodologies.

Role-Based Access Control (RBAC)¶

RBAC in ReactorCX follows the traditional permission-to-role assignment pattern you're likely familiar with from other enterprise platforms. Here's what you need to know:

Permission Grants: Roles are configured with specific CRUD (Create, Read, Update, Delete) operation permissions
Object Scope: Permissions apply to platform objects including rules, folders, programs, and other system resources
Administrative Flexibility: Enables you to define standard role templates (such as Admin, Editor, and Viewer) with pre-configured permission sets

This layer provides the foundational security structure, ensuring users can perform only the operations appropriate to their assigned roles.

Attribute-Based Access Control (ABAC)¶

The ABAC layer adds a second dimension of security through business divisions, enabling record-level data segregation.

Division Concept: Business divisions (such as marketing, merchandising, and operations) function as logical data boundaries
Dual Assignment: Both users and objects (rules, folders, programs) can be assigned to one or more divisions
Access Logic: Users can access and modify only objects that share at least one common division assignment

Example

A user assigned to the marketing division can view and edit only rules that are also tagged to the marketing division, even if their role would otherwise permit broader access.

This combination means effective permissions are determined by the intersection of RBAC privileges and ABAC division matching. Both conditions must be satisfied.

For entities without a division, only the user's role and division determines access.

Authentication Architecture¶

ReactorCX supports modern authentication workflows through OpenID Connect (OIDC) integration, enabling you to leverage your existing identity infrastructure.

Dual Authentication Modes¶

Every RCX environment uses only one method to authenticate users: native or OIDC.

Native Authentication: Traditional username and password managed within ReactorCX
OIDC Authentication: Delegates authentication to external identity providers like Okta (Auth0), Azure AD, or other OIDC-compliant systems

Identity Provider Integration¶

When using OIDC:

User Management: Your OIDC provider (such as Okta) remains the authoritative source for user accounts and authentication.
Permission Mapping: ReactorCX manages roles and permissions internally, which are then mapped to groups defined in your OIDC provider.
Centralized Control: This enables you to provision or deprovision users in your identity provider (IdP) while maintaining permission governance within ReactorCX.

Implementation Note

This architecture separates authentication (who you are) from authorization (what you can do), following security best practices and enabling integration with your existing SSO and identity governance workflows.

Key Takeaways for Implementation¶

As you plan your ReactorCX security configuration:

Design your role hierarchy to reflect job functions and responsibilities.
Map business divisions to your organizational structure for data isolation.
Configure OIDC integration if you're using enterprise identity management.
Plan group mappings between your IdP and ReactorCX roles for seamless provisioning.

This dual-layer model provides the flexibility to handle both broad permission schemes and fine-grained data access controls, making it suitable for complex, multi-tenant, or highly regulated environments.