RBAC on bots

The Control Room uses the deny-all and allow-by-exception security principle for RBAC where users are granted permissions only via assigned roles. By default, users are not provided with access to the Control Room.

The Control Room allows users to disable the System-created admin roles (if required) enabling users to customize role assignments that align with their organizational security and compliance needs.

The following security and configuration management guidelines as defined in NIST SP 800-53 are used for RBAC:

  • NIST AC-17 (remote access): RBAC restricts bot access and execution to authorized roles, ensuring controlled remote access.
  • NIST CM-2 (baseline configuration): System-created roles and default permission sets establish a secure baseline for access control.
  • NIST CM-5 (access restrictions for change): Only users with approved roles can modify bots, environments, or configurations.
  • NIST CM-6 (configuration settings): Administrators manage and enforce configuration settings through RBAC.
  • NIST CM-7 (least functionality): The deny-all and allow-by-exception security principle enforces least privilege access by granting only explicitly assigned permissions.
  • NIST CM-9 (configuration management plan): Bot activity is governed and monitored across development, test, and production environments, supporting comprehensive configuration management.

These controls collectively ensure secure baseline configurations, least privilege access, and effective governance of bot activity across all environments.