RBAC with SAML/Keycloak

[Raymond Perigo]

Hey folks,

We've got a stakeholder piloting cBioPortal for their use case, and they have some need for role-based access control for individual studies. From my understanding, with the removal of built-in LDAP and a reliance on SAML/Keycloak for federated login, it appears there are two avenues for setting up access to individual studies:

1) manually set up roles and assign users in Keycloak, such that those users/groups are granted access to what they need.

2) insert group IDs into metadata when the studies are uploaded, coupled with creating such groups in Keycloak.

One thing they asked is whether it would be possible for individual users to easily select which groups/users have access to whatever studies. From my understanding, this is not possible beyond the above-mentioned study metadata?

Would it be possible to get some clarity on these points - e.g whether my understanding of the current state of the RBAC mechanism is indeed correct, and whether other avenues exist for users of the system to control access from the webapp itself?

Thanks!

[Pim van Nierop]

Hi Raymond,

The metadata approach (option 2) does not offer the flexibility that I think your stakeholders request. It can divide studies into broad study classes that can be accessed by different user groups (e.g., pulbic and internal), but it is not very suitable when there are a large number of user groups with different permissions. Any change to this metadata should be effectuated via MySQL commands directly executed; there are no facilities in place that automate this task. So, when user groups and their permissions change often, you would have to develop your own functionality to manage this via the metadata.

We (The Hyve) always deploy with Keycloak (option 1). In its most basic form Keycloak allows us to manually set up user groups (study permission aggregates) and assign users. On top of that, Keycloak can integrate with external LDAP and/or IDP solutions in order to receive user permissions (study permission or group) from other sources.

You are correct, the RBAC system that is built into cBioPortal itself is quite limited. It is designed to use dedicated IDP solutions instead.

All the best,

Pim    

--
You received this message because you are subscribed to the Google Groups "cBioPortal for Cancer Genomics Discussion Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cbioportal+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/5acdd860-1586-4290-bb79-fa0a587cb443n%40googlegroups.com.

--

Pim van Nierop

Software Engineer / cBioPortal specialist

E p...@thehyve.nl

T +31(0)30 700 9713

M +31(0)6 29464525

W thehyve.nl

    

[Ray Perigo]

Thanks, Pim.

We've integrated our Keycloak instance with university Active Directory, but only so far as to allow authentication with university credentials and limit access at a broad level to members of an AD group (so only allowed users can even log into the service). Due to the nature of our AD tree and the finite needs of the stakeholders, we're currently just setting up access controls for individual studies within Keycloak itself.

I guess a question for the dev team would be whether it would be possible for future releases to bake in some more fine-grained RBAC controls within the app itself? It would be beneficial to assign study admin users, for example, who could select for themselves who can access the studies without admin intervention (either via a script or direct Keycloak / LDAP changes).

//Ray

[Pim van Nierop]

Hi Ray,

The feature you request is not on the development road map. Perhaps the built-in fine grained admin config of Keycloak might be useful?

See https://github.com/keycloak/keycloak-documentation/blob/main/server_admin/topics/admin-console-permissions/fine-grain.adoc.

All the best, 

Pim

Op wo 12 jan. 2022 20:46 schreef Ray Perigo <raymond...@gmail.com>:

To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/1ef64ea3-dd33-466a-92df-12f2acdbb0cbn%40googlegroups.com.