Role-Based Access Controls (RBAC)
      Back to home
      1. Arpio Documentation
      2. Reference Guides
      3. Role-Based Access Controls (RBAC)

      RBAC Management Guide

      An overview of role-based access control (RBAC) for managing user access in Arpio

      Jump to:

       

      Concepts

      Arpio's role-based access control (RBAC) system lets you manage user access  by creating roles that define what users can see and do within your Arpio account. You can control access at both the account level and individual application level, ensuring users have appropriate permissions for their responsibilities.

      RBAC works with three core components: users, roles, and groups. Users are assigned roles either directly or through group membership. Roles contain policies that specify permission levels for different applications. This flexible system supports various authentication and authorization scenarios, from simple native Arpio authentication to complex SSO integrations.

      Authentication and Authorization Scenarios

      Arpio supports three primary approaches for managing user access, each suited to different organizational needs:

      1. Authentication via SSO and Authorization via Arpio

      Your organization uses an external identity provider (like Azure Active Directory, Okta, or Google Workspace) to authenticate users, but manages all role  assignments within Arpio. This approach gives you centralized authentication with granular control over Arpio-specific permissions.

      Best for: Organizations that want to leverage existing SSO infrastructure, but plan to manage users and user role assignment directly in Arpio.  

      2. Authentication and Authorization via SSO

      Both user authentication and role assignment are handled by your external identity provider. Roles and groups are mapped between your SSO provider and Arpio, with permission assignments managed through your identity provider's group memberships.

      Best for: Organizations that want to centralize all access management in their existing identity provider and minimize administrative overhead in Arpio.

      3. Authentication and Authorization via Arpio (No SSO)

      Users authenticate directly to Arpio using email and password credentials, and all role assignments are managed within Arpio. This provides complete control within Arpio but requires separate credential management.

      Best for: Organizations without SSO infrastructure or those preferring to manage Arpio access independently from other systems.

      Core Components

      Users

      Every person who accesses your Arpio account is represented as a user. Users must be assigned at least one role to access any Arpio resources. The first user created in a new Arpio account automatically receives the Account Administrator role.

      Roles

      Roles define what users can see and do in Arpio by combining one or more policies. Arpio provides two predefined system roles:

      • Account Administrator: Full access to all applications in the Arpio tenant, as well as read and write access to all account settings
      • Account Read-Only: View-only access to all applications in the Arpio tenant, as well as read-only access to all account settings.

      You can also create custom roles with specific permission combinations for your organization's needs.

      Policies

      Policies are the building blocks of roles. Each policy combines:

      • An access level (permission type like Administrator, Recovery Operator, or Test Operator)
      • A set of applications that the access level  applies to

      A single role can contain multiple policies, allowing you to grant different permission levels across different applications.

      Understanding Access Levels

      • Administrator:  Can perform all of the actions of the Recovery Operator, Test Operator, and Manager for all assigned applications, in addition to the ability to delete any of the applications in the policy.
      • Recovery Operator: Can perform a recovery and all recovery-related actions, such as initiating a ransomware recovery, as well as failback operations on assigned applications  in the policy.
      • Test Operator: Can perform all test operations on assigned applications in the policy.
      • Manager: Can edit all application settings such as Name, RPO, and Notification Recipients and modify resource selection in the application. 
      • Read-Only: View-only access to assigned applications.

      Note that account-level access (Account Administrator and Account Read-Only) is limited to the two predefined system roles, while application-level access can be assigned through custom roles using the access levels above.

      Groups

      Groups simplify role assignment by allowing you to manage permissions for multiple users simultaneously. Instead of assigning roles to individual users, you can assign roles to groups and add users to those groups. When creating a group, you can assign multiple roles and add multiple users in a single operation, making bulk permission management much more efficient.

      Advanced Scenarios

      Multiple Applications with Different Access Levels

      You can create roles that grant different permission levels across your applications. For example, a role might provide Recovery Operator access to production applications while granting only Read-Only access to development applications.

      Temporary Access Management

      Use groups to manage temporary access needs. Create temporary groups for specific projects or time-limited access requirements, then remove users from these groups when access is no longer needed.

      Authentication via SSO and Authorization via Arpio

      Configure external SSO authentication while managing user access within Arpio

      Overview

      This approach combines the convenience of single sign-on authentication with the flexibility of managing detailed permissions within Arpio. Users authenticate through your organization's existing identity provider (such as Azure Active Directory, Okta, or Google Workspace), but all role assignments and permission management happen within the Arpio console.

      Prerequisites

      Before you begin, ensure you have:

      • An external identity provider configured and ready to integrate with Arpio
      • Account Administrator privileges in your Arpio account
      • The SAML 2.0 metadata from your identity provider

      Step 1: Configure Your Identity Provider

      First, you'll need to set up Arpio as a service provider in your identity provider. See our specific guides for:

      Step 2: Add the Identity Provider to Arpio

      1. Navigate to the Account section in your Arpio console
      2. Select Identity Providers
      3. Click Add Identity Provider
      4. Upload or paste your identity provider's SAML 2.0 metadata
      5. Configure the provider settings according to your requirements
      6. Important: Leave the "Automatically provision new users" checkbox unchecked

      By leaving automatic provisioning disabled, you maintain control over user creation and role assignment within Arpio.

      Step 3: Create and Configure Roles

      Before inviting users, set up the roles they'll need:


      Create Custom Roles

      1. Navigate to User ManagementRole Management
      2. Click Create New Role
      3. Enter a descriptive Role Name
      4. Leave External ID empty (this field is used only for SSO-managed authorization)
      5. Configure policies by:
        • Selecting an Access Level (Administrator, Recovery Operator, Test Operator, Manager, or Read-Only)
        • Choosing specific applications or selecting "Always Include All Applications"
        • Adding additional policies as needed using Add Another Policy
      6. Click Create Role

      Step 4: Create Groups (Optional but Recommended)

      Groups simplify role assignment, especially for larger organizations:

      1. Navigate to User ManagementGroups
      2. Click Create New Group
      3. Enter a Group Name that reflects the users' responsibilities
      4. Leave External ID empty (not needed for this approach)
      5. In the Create Group Assignments section:
        • Assign Roles: Select one or more roles by checking the boxes next to role names
        • Assign Users: Select users to add to this group by checking the boxes next to their names
        • You can filter both roles and users using the search boxes
      6. Click Create Group

      The interface shows you available roles with their access levels and applications, and displays existing users with their email addresses, making it easy to build groups with appropriate permissions.

      Step 5: Invite and Configure Users


      Invite New Users

      1. Navigate to User ManagementAll Users
      2. Click Invite New Users
      3. Enter the email addresses of users you want to invite
        • Important: Use the exact email addresses that your identity provider sends to Arpio
      4. For each user:
        • Assign roles directly, or
        • Add them to groups that have the appropriate roles
      5. Send the invitations


      Configure Existing Users

      If you already have users who were using native Arpio authentication:

      1. Locate the user in the All Users list
      2. Verify their email address matches what your identity provider will send
      3. Adjust their role assignments as needed for your new RBAC structure

      Managing Users and Permissions

      Adding New Users

      When new employees join your organization:

      1. Ensure they're added to your identity provider
      2. Invite them in Arpio using their corporate email address
      3. Assign appropriate roles or add them to existing groups

      Modifying User Access

      To change a user's permissions:

      1. Navigate to User ManagementAll Users
      2. Find the user and click on their name
      3. Modify their role assignments or group memberships
      4. Changes take effect immediately for new sessions

      Authentication and Authorization via SSO

      Configure both user authentication and permission management through your external identity provider

      Overview

      This approach centralizes all access management in your existing identity provider. Users authenticate through your SSO provider, and their roles and permissions in Arpio are automatically determined by their group memberships or attributes in the identity provider. This minimizes administrative overhead in Arpio while leveraging your organization's existing access management processes.

      Prerequisites

      Before you begin, ensure you have:

      • An external identity provider that supports SAML 2.0 group/role claims
      • Administrative access to configure applications and groups in your identity provider
      • Account Administrator privileges in your Arpio account
      • Understanding of your organization's group structure in the identity provider

      Step 1: Plan Your Role Mapping Strategy

      Before configuring the technical integration, plan how your identity provider's groups will map to Arpio roles:


      Map Identity Provider Groups

      Create or identify groups in your identity provider that correspond to Arpio access levels. For example:

      • Arpio-Administrators → Administrator role
      • Arpio-Recovery-Operators → Recovery Operator role
      • Arpio-Viewers → Read-Only role

      Step 2: Add the Identity Provider to Arpio

      1. Navigate to the Account section in your Arpio console
      2. Select Identity Providers
      3. Click Add Identity Provider
      4. Upload or paste your identity provider's SAML 2.0 metadata
      5. Configure the provider name (e.g., "Entra (corporatedomain.com)")
      6. Enable "Automatically provision new users"

      When automatic provisioning is enabled, users authenticated through your identity provider will be automatically created in Arpio and assigned roles based on their group memberships.

      Step 3: Create Roles with External IDs

      Create roles in Arpio that correspond to your identity provider groups:


      For Each Planned Role:

      1. Navigate to User ManagementRole Management
      2. Click Create New Role
      3. Enter a descriptive Role Name (e.g., "Recovery Operators")
      4. Important: Enter an External ID that exactly matches your identity provider group name or identifier
      5. Configure policies:
        • Select appropriate Access Level
        • Choose applications (or select "Always Include All Applications" for broader access)
        • Add additional policies as needed
      6. Click Create Role

      External ID Examples:

      • If your Azure AD group is named "Arpio-Recovery-Operators", use Arpio-Recovery-Operators as the External ID
      • If using group object IDs, use the actual GUID: a1b2c3d4-e5f6-7890-1234-567890abcdef
      • Match the exact format and case used by your identity provider

      Step 4: Create Groups with External IDs (Optional)

      Groups can simplify role management when you have complex permission structures:

      1. Navigate to User ManagementGroups
      2. Click Create New Group
      3. Enter a Group Name and corresponding External ID
      4. In the Create Group Assignments section:
        • Assign Roles: Select roles by checking boxes next to the role names you want to include
        • Assign Users: Select users to automatically add to this group (though for SSO scenarios, users will typically be added through identity provider group memberships)
      5. Click Create Group

      Authentication and Authorization via Arpio (No SSO)

      Manage both user authentication and permissions entirely within Arpio

      Overview

      This approach provides complete control over user access management within Arpio without requiring external identity providers. Users authenticate using email addresses and passwords managed directly in Arpio, and all role assignments and permission management happen within the Arpio console. This is ideal for organizations that prefer to manage Arpio access independently or don't have SSO infrastructure.

      Prerequisites

      • Account Administrator privileges in your Arpio account
      • Email addresses for users who need Arpio access
      • Understanding of your organization's access requirements and application structure

      Step 1: Plan Your Role Structure

      Before creating users, design a role structure that aligns with your organization's responsibilities:


      Identify Access Requirements

      Consider who needs what level of access:

      • Full Account Administrator access: IT administrators, account managers
      • Application-level Administrator access: Application owners and senior DevOps engineers
      • Recovery Operator: DevOps engineers, site reliability engineers
      • Testing Operator: QA engineers, test automation specialists
      • Manager oversight: Team leads, managers who need operational visibility
      • Read-only monitoring: Business stakeholders, auditors, junior team members


      Plan Application-Level Permissions

      Determine if different users need different access levels across your applications:

      • Production applications might require more restrictive access
      • Development or staging applications might allow broader access
      • Some users might need access to only specific applications

      Step 2: Create Custom Roles

      Set up roles that match your organization's needs:


      Create Roles for Different Access Levels

      1. Navigate to User ManagementRole Management
      2. Click Create New Role
      3. Enter a descriptive Role Name (e.g., "Production Recovery Operator")
      4. Leave External ID empty (not needed for native Arpio authentication)
      5. Configure the role's policies:

      For Each Policy:

      • Select Access Level:
        • Administrator: Full application access and management
        • Recovery Operator: Can perform recovery operations
        • Test Operator: Can perform testing operations
        • Manager: Management-level operational access
        • Read-Only: View-only access
      • Choose Application Scope:
        • Check "Always Include All Applications" for broad access, or
        • Select specific applications for granular control
      • Click Add Another Policy to create additional permission combinations within the same role
      1. Click Create Role

      Best Practices

      • Follow the principle of least privilege: Grant users only the minimum permissions needed for their responsibilities
      • Use groups for role assignment: Managing permissions through groups is more efficient than individual user assignment
      • Regularly review permissions: Periodically audit user access to ensure permissions remain appropriate
      • Plan your role structure: Design roles that align with your organization's responsibilities and workflows before creating multiple custom roles

      Managing Access

      Once your initial setup is complete, you can:

      • Create custom roles tailored to your organization's specific needs using the available access levels
      • Organize users into groups for easier permission management - the group creation interface allows you to assign multiple roles and users simultaneously
      • Assign roles directly to users or through group membership
      • Monitor user activity through the user management interface, which shows last active dates and current role assignments
      • Bulk manage permissions using the group interface to efficiently handle role assignments for multiple users

      All roles and group management can be performed by users with the Account Administrator role through the Arpio console's user management interface.