RBAC
Role Based Access Control as a Service using Okta
Clock Icon
5 min read

Abstract

This project implements Role-Based Access Control (RBAC) as a Service using Okta to manage user authentication and authorization. It enables secure access to applications by assigning permissions based on user roles, ensuring fine-grained control and compliance. The solution leverages Okta’s API for seamless integration, enhancing security and scalability.

About Our Client

Our client is a prominent provider of cloud-based communications to businesses and consumers who can communicate through any device using cloud-hosted chat, video, voice, and short message service.

We partnered with them to develop:

  • An automated solution to deliver on all aspects of RBAC right from employee onboarding to employee off boarding.

  • A fine-grained access control approach to set up clearly defined roles, permissions and protocols by implementing the principle of least privilege thereby reducing the risk of granting unwarranted access.

  • An auditing and reporting functionality to provide objective insight, optimize operational efficiency, and ensure compliance with standards and regulations.

Business Challenges
Business Needs
icon
Seamless Integration with OKTA and RBAC:
Enable seamless communication between the user interface and OKTA, ensuring accurate privilege cascading through RBAC.
icon
Operational Efficiency:
Reduce administrative overhead by automating user access management and minimizing manual interventions.
icon
Controlled Access Management
Empower managers to monitor, modify, and control team access levels with ease.
Challenges
icon
Role Clarity and Access Mapping:
Maintain role clarity by defining business roles, managing privileges, and conducting periodic access reviews.
icon
Streamlined User Lifecycle Management:
Simplify onboarding, role changes, and offboarding for employees and third-party resources.
icon
Access Synchronization:
Keeping user roles and access levels the same across multiple applications in real time is difficult. Delays or errors can cause mismatched access.

Solution Details

The RBAC solution automates user access management by integrating with Okta for identity management and ensuring compliance through various access validation mechanisms. The architecture leverages AWS services, REST APIs, and automated provisioning workflows to manage user roles, access approvals, and application assignments.

Key Components & Technologies:

  1. Identity & Access Management

  • Okta serves as the identity provider, handling user authentication and role assignments.
  • Okta Groups are used for business role mapping and application access management.

  1. Provisioning Workflow

  • An API Gateway facilitates REST API calls between Okta, the RBAC provisioning system, and external applications.
  • A Lambda function (RBAC Feeder) publishes provisioning configurations to an SQS queue, ensuring scalable and asynchronous processing.
  • A re-provisioning handler retrieves user role updates, while a retry handler ensures failed requests are retried efficiently.
  • A processing queue manages provisioning requests, with a Dead Letter Queue (DLQ) handling failed operations.

  1. Validation & Compliance

  • The VSA API Check validates access requests against predefined compliance rules.
  • Secrets Manager securely manages authentication credentials.
  • If access is denied, the system logs compliance failures and updates the Dashboard API Service.
  • Approved requests trigger the Handler Provisioning Workflow, updating business role configurations in the Web App Database.

  1. Business Role Management & Reporting

  • A dashboard service tracks RBAC request status and compliance failures.
  • A provisioning requests database logs user access requests for auditing.

This solution ensures a robust, scalable, and automated RBAC system, streamlining user access management while enforcing security and compliance.

(i): Dummy Image
Key Features of Solution
Role-Based Access Management
Role-Based Access Management
Assigns permissions based on predefined roles, ensuring users have appropriate access.
Granular Permission Control
Granular Permission Control
Enables fine-grained access control to specific resources, APIs, and features within Vonage.
Approval Workflow for Access Requests
Approval Workflow for Access Requests
Requires manager or admin approval for assigning/revoking roles, ensuring security and compliance.
Audit Logging & Compliance
Audit Logging & Compliance
Tracks access activities, role changes, and approvals to meet compliance requirements and enable audit trails.
Periodic Access Reviews & Certification
Periodic Access Reviews & Certification
Ensures ongoing compliance by requiring periodic reviews and re-certifications of user roles and access.
Integration with Vonage APIs & Services
Integration with Vonage APIs & Services
Restricts or grants API access based on assigned roles, ensuring secure communication and resource usage.

Technical Details:

Our system consists of two main applications — RBAC Admin Management and RBAC Provisioning. The deeper dynamics are given as follows:

RBAC Admin Management

The main personas are Admin, Owner, Approver, Manager and Auditor, which are managed through RBAC Admin Management as follows:

  1. Admin:

This persona allows admin to manage users and other admins, add and deactivate business role (BR), add and remove applications list and related permissions keys, and manage business role owners and approvers. A BR can only contain those applications that are incorporated by the RBAC handlers. Thereafter, owners can add applications to BR and update the configuration of the application and send it for approval. Owners are validated by OKTA APIs.

  1. Owner:

This persona deals with users who are responsible for managing individual business roles. It provides functionality of managing the addition/removal of applications and their respective permissions in a particular BR. Once the owner makes the changes, they are shared with an approver for approval, and the owner can also send reminders to the approver for follow-up purposes.

  1. Approver:

This persona checks the configuration of BR with the specific application configuration. An approver cannot make changes to BR; sh/e can only approve or reject changes.

  1. Manager:

This persona allows a manager to look at tickets created for a role change, which applications have been granted/revoked as part of role change and the corresponding user details. S/he can also assign a role to a new or existing user.

  1. Auditor:

This persona is implemented as a part of compliance requirements. An auditor can only track the progress of any application in terms of user access to the application, roles assigned to the users, and changes requested/approved for the business roles.

RBAC Provisioning

The process of user login in the RBAC system is managed by Okta SSO. For providing permissions inside the web application, we are using Okta groups. For the assignment of a particular okta-group, we have defined the level of access in the web application. Any user with a valid assignment of any of the personas’ respective okta-group will be able to login into the web application.

The RBAC provisioning application is created inside AWS Cloud. When there is a change in Business Role (BR) for a specific user or when it is set/reset, the application is triggered by a REST endpoint from Okta workflow. It then triggers an automation workflow where application specific handlers work on provisioning and setting up appropriate access for a user or change access to applications based on BR Mapping. The same automation workflow is applicable in the case of de-provisioning roles.

In the case of re-provisioning, when BR mapping changes then RBAC finds all the users in that BR and forces provisioning calls for the concerned users.

API Gateway allows only Okta server IP addresses to access the Gateway REST API.

Identity Provider (IDP) Integration
Identity Provider (IDP) Integration
Leverages Okta, OAuth, or SAML for secure authentication and role-based access control.
JWT-Based Access Control
JWT-Based Access Control
Implements JSON Web Tokens (JWT) to securely pass user roles and permissions within API requests.
Database-Driven Role & Permission Mapping
Database-Driven Role & Permission Mapping
Stores roles, permissions, and user-role assignments in a structured RBAC database model for scalability.
API Gateway Role Enforcement
API Gateway Role Enforcement
Uses API Gateway policies to validate roles and permissions before allowing access to backend services.
Results and Impact
Compliance
Compliance
Ensures compliance with security regulations and reduces audit risks through periodic access certification.
Traceability
Traceability
Enables tracking of role assignments, approvals, and their purposes for better access transparency.
Auto approval of JIRA access tickets:
Auto approval of JIRA access tickets:
Saves time by eliminating the need to chase managers for JIRA access approvals through auto-approval.
Reduced administrative work
Reduced administrative work
Reduces administrative work with automated rules and triggers.
Technology Used
React
Python
TypeScript
Serverless
Amazon API Gateway
Amazon SQS
Amazon S3
Okta
AWS Lambda

References and Further Reading

  • Confluent Schema Registry: Confluent Schema Registry Documentation
  • Apache Avro Documentation: Apache Avro Documentation
Share this with your social community!
LinkedIn
Copy link
What Our Customers Say
Real experiences, real impact. See how we’ve helped customers thrive with tailored services.
Logo
icon
Tech Prescient was very easy to work with and was always proactive in their response.
The team was technically capable, well rounded, nimble and agile. They could interpret, adopt and implement the required changes quickly.
Profile
MURALI RAMSUNDER
SENIOR ARCHITECT, VONAGE.COM
Logo
icon
Amit and his team at Tech Prescient have been a fantastic partner to Measured.
We have been working with Tech Prescient for over three years now and they have aligned to our in-house India development efforts in a complementary way to accelerate our product road map.
Profile
TREVOR TESTWUIDE
CO-FOUNDER & CEO, MEASURED INC.
Logo
icon
We were lucky to have Amit and his team at Tech Prescient build CeeTOC platform from grounds-up.
Having worked with several other services companies in the past, the difference was stark and evident. 
Profile
ALOK SRIVASTAVA, PHD
FOUNDER AND CEO, CEETOC INC.
Logo
icon
We have been extremely fortunate to work closely with Amit and his team at Tech Prescient.
The team will do whatever it takes to get the job done and still deliver a solid product with utmost attention to details.
Profile
SREENIVASA GORTI, PHD
CTO / CO-FOUNDER, INNOSTREAMS INC.
Related Case Studies
Amplifying Podcast Reach through Real-Time Stream Processing and Analytics
Tech Prescient designed an analytics solution for high-volume, streaming podcast data. With this solution, podcasters can better understand their audience and the impact of their collaborations.
API Integration and Data Ingestion Platform
Our customer is a marketing measurement company that provides a single source of truth for media investment decisions. Central to this mission is the collection of raw data from multiple marketing data sources through various methods such as APIs, emails, FTP, and more. The Data Ingestion Framework (DIF) facilitates this process by extracting, transforming, and loading data into a data warehouse for comprehensive analytics.
Auth0 IAM implementation for Zero trust Networking platform
Case Study showcasing the implementation of an Agentless Zero Trust Networking platform, leveraging markdown and custom CaseStudy components for an in-depth technical overview.
Tech Prescient
We unleash growth by helping our customers become data driven and secured with our Data and Identity solutions.
Social Media IconSocial Media Icon
Social Media IconSocial Media Icon
Glassdoor
Become a part of our big family to inspire and get
inspired by professional experts.
Services

Product Engineering

Data Engineering

AI and Analytics

Company

About Us

Leadership Team

Careers

Life at Tech Prescient

Contact Us

Our Quality Philosophy

Resources

Case Studies

Blogs

VAPT

Cloud Infrastructure

DevOps Automation

Knowledge Base

OUR PARTNERS
AWS Partner
Azure Partner
Okta Partner
Databricks Partner

© 2017 - 2025 | Tech Prescient | All rights reserved.

Tech Prescient
Social Media IconSocial Media Icon
Social Media IconSocial Media Icon
We unleash growth by helping our customers become data driven and secured with our Data and Identity solutions.
Solutions

Data Confluence

Identity Confluence

Services

Product Engineering

Data Engineering

AI and Analytics

Company

About Us

Leadership Team

Careers

Life at Tech Prescient

Contact Us

Our Quality Philosophy

Resources

Case Studies

Blogs

VAPT

Cloud Infrastructure

DevOps Automation

Knowledge Base

Integrations

Identity Connectors

Data connectors

OUR PARTNERS
AWS Partner
Azure Partner
Databricks Partner
Okta Partner
Glassdoor

© 2017 - 2025 | Tech Prescient | All rights reserved.

Tech Prescient
We unleash growth by helping our customers become data driven and secured with our Data and Identity solutions.
Social Media IconSocial Media Icon
Social Media IconSocial Media Icon
Solutions

Data Confluence

Identity Confluence

Integrations

Identity Connectors

Data connectors

Services

Product Engineering

Data Engineering

AI and Analytics

Company

About Us

Leadership Team

Careers

Life at Tech Prescient

Contact Us

Our Quality Philosophy

Resources

Case Studies

Blogs

VAPT

Cloud Infrastructure

DevOps Automation

Knowledge Base

OUR PARTNERS
AWS Partner
Okta Partner
Azure Partner
Databricks Partner
Glassdoor

© 2017 - 2025 | Tech Prescient | All rights reserved.