User roles are important for security. They can also be useful for matters of simplicity, however. We use them, for example, to tailor the user interface of our smart drive test benchmarking solution in order to simplify the handling. But first things first: What is the purpose of user role management?
User role management is predominantly used for role-based access control (RBAC), sometimes simply called role-based security. The majority of large organizations use role-based access control to facilitate the administration of security for hundreds of users and permissions.
Roles and their associated permissions authorize users to perform certain actions in a system. For example, only users with the role of Administrator (i.e. admins) are allowed to create new users or modify existing ones, while other roles might only have permission to view or list users in the user database.
In our web-based SmartMonitor data collection application, Managers have permission to generally administer the system. This includes setting up test campaigns, jobs, profiles, etc. but excludes user role management. Viewers have read-only access to the application; for example, they are allowed to view the dashboard, campaigns, and unit states or reports.
Roles are often structured hierarchically, which adds support for permission inheritance between roles. This means Administrators can do everything (and more) that Managers can do (but not vice versa). We also make use of especially dedicated user roles for measurement units, interconnected systems, and portal applications, which must also log in to access the system, similarly to how interactive users log in.
Discretionary Access Control (DAC) versus RBAC user role management
While RBAC operates on group-level permissions, which are easy to manage, Discretionary Access Control (DAC) operates on personal permissions. This is generally more granular, because it is typically attached to the data or resource and set by the data or resource owner.
What is the use case here? For instance, with DAC you can give a user exclusive read access to specific measurement data or reports. This is useful if you are reselling your network monitoring services and want to give your customers exclusive access to specific parts of your network evaluation or analysis.
You no longer need to export static PDF reports. Instead, share a link and let your customers log in to your portal to view, filter, or drill down dynamic reports as they wish. This allows your customers to build and generate reports based on their own requirements.
Different roles for different applications
I recently talked about single sign-on (SSO) and how different back-end applications are integrated into the R&S mobile network testing WebPortal. Here, we have a single user database; but since users might perform different tasks in different applications it makes sense to have application-specific roles.
In the SmartMonitor data collection application, for example, a test fleet driver would be assigned the Driver role but might not be assigned any role in the post-processing application. Consequently, the user will not be able to use the post-processing application at all.
When an application is registered on the WebPortal, it provides its own application-specific roles. The portal administrator may then set up users and assign multiple application roles according to the user’s needs.
User role management for customization and ease of use
While user roles are important for security, we also use them to tailor the user interface. The best example for this is the Driver role: your test fleet drivers might not be telecommunications experts and unskilled in setting up test campaigns. So what are the typical tasks a driver must perform?
- Power up the system
- Check that all measurement units are connected and ready
- Verify that the location provider has a valid GPS fix (this also provides time synchronization)
- Load a predefined route and display it on a map
- Verify that all measurement units are recording
- Keep track of the route and watch out for alerts (both audio and visual)
- Contact an expert in an office in case of problems for remote troubleshooting
- Optionally save or upload result files
For the driver to focus on the most important tasks during a drive test, our data collection application presents a dedicated, optimized dashboard view tailored to the Driver role. This dashboard view contains only information relevant to the task, such as:
- the overall system status summary (which ideally is always one big green tick icon);
- a panel to control tests campaigns;
- a map panel that shows the GPS status;
- the current position and the active route;
- and, finally, a panel for alarms.
A quick glance at a dash-mounted tablet (or even a mobile phone) should be enough for the driver to know that the system is fully operational and functional.