ReactorCX Security Administration Guide¶

This guide describes administration tasks such as setting up users and permissions, and integrating with Open ID Connect providers.

Security and Permissions Configuration¶

About the RCX Permission Model¶

RCX uses both Role-based and Attribute-based role access control (RBAC and ABAC).

• RBAC - assigns permissions to Roles, which give roles Create/Read/Write/Delete access to various types of objects, e.g. Rules, Folders, Programs, etc.

• ABAC - relies on the concept of Business Divisions. For example, we could have a Marketing, Merchandising and Operations division. Divisions can be assigned to Users and to various types of objects, e.g. Rules, Folders, Programs, etc. If a user is in a division that is also one of the divisions assigned to an object, then that user can modify that object. This allows for record-level access controls based on divisions.

User Accounts¶

RCX supports two modes of user authentication:

• Native - users and integrated systems submit credentials and are issued a JWT token by RCX. User accounts are directly managed in RCX. Roles and permissions are also directly added to RCX.
• OIDC - RCX can integrate with an OIDC provider, such as Okta, to provide the authentication. User accounts are managed by Okta. Roles and permissions are administered in RCX. Once Roles are established in RCX, they are linked to Okta groups. Auto-provisioning is also available on the first time a customer logs in.

Administering Native Users¶

Editing User Details¶

To administer users in RCX:

1. Navigate to Settings -> Users in the menu panel on the left.
2. Use the Add User button to add users, or click on a user record to edit it.
3. Fill out the details in the User dialog box
4. Press OK to confirm changes. If this is a new user account, an email is sent to allow them to set their password.

Figure 1. Adding a User

The following fields are available in the dialog box:

• Login Name - user name used to login with,.
• Email Address - email address to use for password resets, confirmations, etc.
• Possible Divisions - which divisions this user is part of.
• Default Division - the division to which the user will default when first logged in.
• Token Expiration - the number of minutes of token expiration.
• Blocked - if a user tries to login too many times and fails the captcha controls, this flag is set to Yes, and the user won't be able to login until an Administrator unlocks the account.
• Allow Multiple Sessions - allow user to be concurrently logged in to multiple sessions.
• Enable Session Management - used for UI-only users, this allows the token expiration time to be measured from the last access timestamp instead of from the time of login.
• Limits Enabled - whether to enable hard limits for CSRs.
• Division Check Enabled - allows turning off division checks for the user.

Viewing User based Roles and Permissions¶

RCX provides enhanced visibility into user permissions based on assigned roles. This feature allows users to filter and view permissions specific to each role they have been assigned.

To view permissions based on roles:

1. Navigate to Settings -> Users in the menu panel on the left.
2. Select a user to view their details.
3. In the Users view, there is a Roles applet that displays all the roles assigned to the user.
4. By default, the "Effective" option is selected, displaying all permissions available to the user across all assigned roles, along with default permissions, in the Permissions applet.
5. If no roles are assigned, the user will see only the default permissions, with the role shown as "Effective".
6. To view permissions for a specific role, select that role from the list. The permissions will be updated accordingly in the Permissions applet.

Figure 2. Viewing User Roles and Permissions

Setting up Roles and Permissions¶

To setup permissions assigned to Roles:

1. Navigate to Settings -> Security Setup from the menu panel on the left
2. Use the Roles applet to add or edit Role names
3. Use the Users applet to add or remove users from the selected Role in the Roles applet
4. Use the Permissions applet to assign permissions to the selected Role in the Roles applet

Figure 3. Setting up Permissions

Setting up Divisions¶

Divisions are used for Attribute Based Access Control (ABAC). If a user is assigned a division, and that division is also assigned to an object such as a Rule, Folder or Policy, then that user can edit that object.

To add divisions:

1. Navigate to Settings -> Divisions from the menu panel
2. Use the Add Division button to add a new Division

Figure 4. Setting up Divisions

OIDC Integration¶

Integration with OIDC providers allows for managing users and roles/divisions from an OIDC provider such as Okta, Auth0 or another standards-compliant OIDC provider. Please engage your RCX support team to switch an environment to OIDC authentication based on your OIDC provider configuration.

Group to Role Mapping¶

The way RCX integrates with OIDC providers is through the use of a groups or equivalent claim available in either the id_token or access_token returned by the provider upon successful user authentication.

Using the groups claim, RCX can perform mapping between groups in the OIDC provider and Roles to which a user should have access, such that the Role names are the same as the OIDC group names passed in the group claim.

Division Mapping¶

Assigning divisions to RCX is done via OIDC similarly to how Roles are assigned. The only difference is that RCX and the OIDC provider need to agree on a group prefix (e.g. RCX_DIVISION_*) which will govern which entries in the groups claim will map to Divisions vs. Roles. For example:

Auto-provisioning of Users¶

The RCX OIDC integration will auto-provision users for which valid OIDC tokens (verified through the OIDC public key) are issued upon the first time that user logs on successfully via the OIDC provider. This means that no users need to be created within RCX, thus allowing for centralized user management via the OIDC provider.