User Onboarding, Authentication, and Authorization
StrongDM offers a role-based access control (RBAC) system that brokers connections to resources either via static access rules, dynamic access rules determined via resource attributes and/or tags in the spirit of attribute-based access controls (ABAC), or temporary access grants to facilitate the model of zero standing permissions.
Best Practices
- Use your existing SSO IDP solution for authentication into StrongDM
- Use SCIM provisioning to onboard and offboard users
- Use SCIM provisioning to authorize resource access for users by mapping StrongDM Roles with your IDP’s User Groups
- Configure break glass local administrators in the event of an IDP outage
- Incorporate temporary access flows where possible in an effort towards zero trust
SSO Authentication
StrongDM recommends using your existing single-sign on provider for authentication. This provides the benefit of one less set of static credentials, a login experience the user is already familiar with, and allows for additional controls such as MFA, device posture enforcement, or any other pre-authentication IDP hooks an organization has already invested in.
StrongDM integrates with a variety of IDPs listed here for authentication.
SCIM Provisioning
SCIM Provisioning allows users to be onboarded and authorized for StrongDM roles through automation with your existing IDP or entitlement provider. This means that IAM Administrators can add and remove users from groups the same way they do in their current workflows to streamline onboarding/offboarding and reduce the risk of onboarding and offboarding errors.
SCIM Provisioning bridges StrongDM Roles and an organization’s entitlement groups.
Roles and Access Rules
StrongDM recommends managing user entitlements to SDM Roles via SCIM Provisioning, and to use Dynamic Access Rules to automate Role definitions, especially for ephemeral environments.
Roles
Roles are defined by access rules, either static or dynamic, and are assigned to users to authorize users for resource access.
Static Access Rules
Static Access Rules are the method by which you can assign access to specific resource(s) to a Role explicitly.
Dynamic Access Rules
Dynamic Access Rules provide the tool set to dynamically assign resource access to members of the Role. Each Dynamic Access Rule is made up of two properties:
Resource type. You can choose a specific type of resource, such as a MySQL DBs or EKS Clusters, or you can choose All resource types.
Resource tags. Tags are key-value pairs assigned to resources. An Access Rule may include up to 20 tags.
A Dynamic Access Rule will grant access to all resources that meet all of the criteria specified in its properties. For example, specifying one database type and two tags will grant access only to resources that are of that database type and have both of those tags.
Temporary Access Flows
Time-based temporary access grants can be assigned within StrongDM via the AdminUI, SDKs, or CLI. It is recommended to use temporary access grants wherever possible, to reduce the amount of standing privileges.
For example, an organization that is in the early stages of moving towards a zero trust model may want to start their journey by requiring all environments classified as sensitive or production data to be accessed solely through temporary access grants whereas development and sandbox environments are granted access via standing roles.
Mature organizations incorporate their existing ITSM infrastructure and ticketing flows with StrongDM SDKs to automate the request, approval, and assignment of temporary access grants. This provides access to resources only as needed to reduce risk exposure, in addition to requiring justification and approval for more robust and granular audit trails.