Adjust custom_role examples to be more realistic

2025-12-06 09:12:45 +01:00 · 2021-09-14 14:03:22 -04:00
parent ff989b1c73
commit 9970e54081
1 changed files with 10 additions and 7 deletions
--- a/salt/soc/files/soc/custom_roles
+++ b/salt/soc/files/soc/custom_roles
@@ -9,12 +9,15 @@
 # Syntax      => prebuiltRoleX: customRoleY: op
 # Explanation => roleY and roleZ are adjusted permissions of roleX, op is:
 #                + add the new permissions/role mappings (default)
-#                - remove existing prebuilt permissions
+#                - remove existing "explicit" prebuilt permissions. This 
+#                  does not work with implictly inherited permissions.
 #
-# In the example below, we will define a new role for junior analysts,
-# that is nearly identical to the analyst role that comes with SOC, with the
-# exception that it removes their ability to obtain details about other 
-# analysts in the system.
+# In the example below, we will define two new roles for segregating
+# analysts into two regions. Then we will remove the ability for all
+# analysts to see the roles of other analysts. (Seperately we will need to
+# define these two new roles in Elasticsearch so that each analyst region 
+# can only see data from their specific region's indices, but that is out 
+# of scope from this file.)
 #
-# analyst:        jr_analyst
-# user-monitor:   jr_analyst:-
+# analyst:        westcoast_analyst, eastcoast_analyst
+# roles/read:     user-monitor:-