Developers Documentation



301 error for file:

User Tools

Site Tools

Role-Based Access Controls in ClearOS

Role-based access controls (RBAC) is a best practice method for IT design where rights to resources is not granted to individuals but rather to groups. This allows a resource to have permissions to it based on a group instead of individuals. Within ClearOS, this method is almost universally applied.

The only case in which this is not applied is where access to a resource is wholly exclusive to the user. This is often permitted under role-based access design parameters. An example of exclusive access would be a home directory.

Compliance standards such as HIPAA, SOX, and PCI do not specify exact methods but rather principles of best practice. It is up to the individual organization to define exactly how their policies and procedures fulfill the intent of the law. ClearOS is not a replacement for a defined policy but has many tools that can be used to fulfill an organizations IT design goals and objectives.

HIPAA and other RBAC compliance in ClearOS

In the US, HIPAA is a regulation that governs the healthcare industry and requires, among other things, protection controls for Patient Health Information (PHI). As part of this protection, a minimalist attitude is required for access to data. Meaning that only information required by the healthcare worker necessary to perform their job should be within the access capabilities of the user. In all cases, logging of who accessed what data, when, and where is a requirement. ClearOS was designed with tools to make this part of how ClearOS works. Since RBAC is a best practice across many IT disciplines, ClearOS comes standard with many of the tools needed for HIPAA compliance as standard.


In the US, compliance to the Sarbanes-Oxley Act (SOX) is required of any company where the company ownership is publicly traded. Many IT implementations of SOX include RBAC by design.

Payment Card Industry Data Security Standard

In the US, companies that take payment via credit cards are required to comply with the Payment Card Industry Data Security Standard (PCI, or PCI-DSS). This standard also employs a requirement that only data required by a user should be accessible to the user. Often, RBAC is used as a best practice method to fulfill this requirement.

Directory Structure

Within ClearOS is a concept of a directory driver. This driver takes directory systems and makes it so that they can be applied within the POSIX standard in a uniform way. POSIX is a standard within Linux and BSD for specific layout of an operating system. Among the concepts is the user and group methods. ClearOS supports various directory drivers by default and could be made to use additional directories in a standard way. Currently, the following method exist in ClearOS:

  • OpenLDAP
  • Active Directory Synchronization (winbind)
  • Samba Directory (BETA)

While POSIX allows for methods other than RBAC, ClearOS controls limit the ability to defy this design by tightly integrating services so that they function out of the box in a RBAC manner. As state earlier, home directories is an exception to this rule. Within HIPAA and other standards, this is allowed for exclusive resources. This means that you cannot, within ClearOS' controls, make a home directory shareable to users other than the owner.

Under RBAC, users should not share passwords or have accounts that are globally used. ClearOS contains support even at the admin levels that allow for user-specific access such that even administrators do not share the common 'root' account. These controls are also group-based such that administrative tasks can be limited to the scope of authority for the IT worker. You will use the Administrators app and also the SSH Server app in order to setup admins for command line access. You may need to make changes to the sudoers file as well in order to lock down the command line in compliance with your RBAC goals.


File-sharing resources within ClearOS are designed around the RBAC model such that when a share is configured from within the Flexshares module, permissions are only assignable to groups. The standard practice is to create a group before creating the share. The group can have any number of users or no users at all assigned to it. Resources created in this manner allow an IT admin to add users or remove users from a group. The resource, after it is configured, does not require changes to its configuration in order to add users or remove their access. Instead, when properly configured, adding users to groups and removing them from groups is the mechanism by which access is granted.

For the Samba File shares within Flexshares, an additional tool may help fulfill your security policy: Under the 'File' method of Flexshares, you can set up the additional features:

  • Recycle Bin
  • Audit Log

For policies requiring a method of retention and data recovery (Sarbanes Oxley has such a requirement) adding the Recycle Bin option to a share can facilitate a greater capability of restoring deleted files. While this isn't an all inclusive method, it can be part of your greater backup and recovery strategy under your disaster recovery model.

For policies and requirements that need granular control and auditing of who changed what file, when, and where, setting up the audit log can provide a solid method for reporting on granular changes made to files by logging individual read, create, change, and delete methods applied to protected files.


In addition to files, services within ClearOS are also based within RBACs. ClearOS does this by creating special groups that are assigned to specific services. Within the user configuration page, specific services are available to be turned on and off. These are nothing more that groups that have access to services. Whether you are using Mail services, FTP, VPN, or other services, ClearOS implements RBAC access to the services needed by the user via groups.

Additional Information

CVE Database and Penetration Testing

ClearCenter maintains a database of known threats to ClearOS if you are working through your compliance with a audit service that tests features and services of ClearOS, you can use this database to answer vulnerability assessments.

In addition, if you have ClearCARE support through a ClearOS license (like ClearOS 7 Gold or Platinum), you can create a ticket and submit any pen test results. Any items missing from the ClearOS Vulnerabilities database will then be provided to you.

ClearGLASS Role Based Access Controls

As with ClearOS, ClearGLASS Business has RBACs necessary for compliance. You can read more about ClearGLASS RBACs here:

content/en_us/kb_role_based_access_in_clearos.txt · Last modified: 2018/05/25 09:44 by dloper