Role-Based Access (RBAC) Guidelines
The gateway uses a role-based access (RBAC) system for assigning roles to individual users. Many roles are predefined on the Gateway, while other roles are created on an as-needed basis to manage new entities.
CA API Gatewayuses a role-based access (RBAC) system for assigning roles to individual users. Many roles are predefined on the Gateway, while other roles are created on an as-needed basis to manage new entities.
PCI DSS has specific rules around compartmentalizing access to cardholder data, or systems that have cardholder data going through them. This topic provides guidelines on roles to help you remain compliant.
The Administrator role allows a user to administer all aspects of the Gateway, using the Policy Manager. One exception: The Administrator role cannot invoke the Audit Viewer Policy. However, Administrators can assign someone to the Internal Use Policies.
Due to the power of the administrator role, it is recommended that administrators do not also give themselves the Invoke Audit Viewer role, but rather assign this role to someone else.
Keep the number of administrative users to a minimum, as dictated by your business needs.
Invoke Audit Viewer Role
The Invoke Audit Viewer Role lets a user view audit records protected by an Audit Message Filter (AMF) policy. This role is not granted to any user by default and only an Administrator can grant this role to other users.
In a PCI DSS compliant deployment, the Gateway should use the AMF policy to protect cardholder data in audit records. If users are using the AMF policy to protect cardholder data in audit records, the Invoke Audit Viewer roles allows users to view protected audit data. Grant this role only to individuals who have a business need to view this data.
View Audit Role
The View Audit role allows users to view audits, but does not allow the AV Policy to be applied to protected audit records. Audits containing no protected data are shown in clear text, while any protected audit records are displayed in their protected format.