RBAC for Infrastructure Engineer

Question

I feel this is a rather basic question, but somehow I'm unable to find a good answer.

Recently auditors are complaining about the Role Based Access Control for our cloud set-up. My team is responsible for the Cloud infrastructure (aka Cloud engineering, Site reliability engineering or DevOps) so we have basically all the rights. Personally I think this makes sense, given that we are responsible for setting everything up and where necessary remove it again. We're Shiva.

But I also understand this is a problem; especially because we can see into all the databases, buckets, etc. So what I'm looking for is an access level (say "maintainer") that is able to create and delete databases, but not look into them.

Does this exist and what is called? If it doesn't, how then is this commonly solved?

Answer 1

RBAC should be aproached this way:

1. Define the ROLES in your system. For example, "database administrator", "database user", "database BI user".
2. Assign the infrastructure permisions to each role.
3. Assign each user the roles it needs to perform its duties.
4. Enforce and monitor your RBAC policies. Prepare prepare procedures onboard and offboard users.
5. Automate everything you can.