How do we configure DuploCloud RBAC and just-in-time access for production, including custom roles (Advanced/Scale)?
AIOps & SRE Automation

How do we configure DuploCloud RBAC and just-in-time access for production, including custom roles (Advanced/Scale)?

9 min read

Configuring DuploCloud RBAC and just‑in‑time (JIT) access correctly is one of the most important steps in securing production environments—especially on Advanced and Scale plans where teams need more granular control and custom roles. This guide walks through the conceptual model, practical configuration steps, and best practices for locking down production while still enabling developer velocity.

Why RBAC and Just‑In‑Time Access Matter in Production

Production environments host sensitive data and mission‑critical workloads. That means:

  • Access must be tightly controlled and auditable
  • Permissions must follow least privilege
  • Elevated access should be temporary and time‑boxed
  • Compliance frameworks (SOC 2, HIPAA, PCI-DSS, ISO 27001, GDPR) require clear logical access controls

DuploCloud’s tenant model, IDP integration, and role‑based access control (RBAC) are designed to enforce these principles out of the box. On Advanced/Scale tiers, you can extend these foundations with custom roles and more sophisticated just‑in‑time patterns.

Core Concepts: How DuploCloud Access Control Works

Before configuring anything, it helps to understand the key building blocks.

Tenants as Security Boundaries

In DuploCloud, tenants typically represent:

  • Environments (e.g., dev, staging, prod)
  • Business units or applications
  • Customer‑specific deployments in multi‑tenant setups

Tenants provide:

  • Logical isolation of resources
  • Network segmentation and security boundaries
  • Scoped RBAC—permissions are usually granted per tenant

For production, you’ll usually have one or more dedicated production tenants (e.g., prod, prod-eu, prod-critical).

Identity and Authentication

DuploCloud integrates with common identity providers such as:

  • GSuite / Google Workspace
  • Microsoft 365 / Azure AD
  • Other SAML/OIDC-compatible IDPs

This enables:

  • Centralized user lifecycle management
  • SSO and MFA enforcement at the IDP level
  • Group-based mapping to DuploCloud roles

RBAC in DuploCloud

RBAC defines what a user or group can do:

  • Global roles – Platform-level access (e.g., view all tenants, manage tenant creation)
  • Tenant roles – Access within a specific tenant (e.g., manage services, view logs)
  • Custom roles – Fine‑grained permissions for specific actions/resources, especially useful at Advanced/Scale tiers

DuploCloud enforces best‑practice defaults, but Advanced/Scale customers can extend these with custom Duplos, custom agent behavior, and tailored roles to match internal policies.

Just‑In‑Time Access

Just‑in‑time access is the practice of granting elevated permissions only:

  • When needed
  • To specific users or groups
  • For a limited time window
  • With logging and, ideally, approval workflows

In a DuploCloud context, JIT access is usually implemented by combining:

  • IDP group membership changes or access requests
  • Time‑bound role assignments in DuploCloud
  • Automation (e.g., event‑driven workflows, custom agents) to grant and revoke access

Step 1: Define Your Production Access Policy

Before touching the UI or API, align on policy:

  1. Who should have permanent access to production?

    • Typically: a small SRE/Platform team with limited, audited rights
    • Avoid giving blanket admin to all developers

  2. Who needs just‑in‑time access and for what?

    • Developers for incident response, data inspection, or hotfixes
    • Security/compliance teams for audits
    • On‑call engineers for troubleshooting

  3. What actions are allowed in production?

    • Read‑only: metrics, logs, configuration
    • Change control: deploy, restart services, apply migrations
    • Break‑glass: full admin access during severe incident

  4. How will approvals work?

    • Auto-approved for on‑call roles, time‑limited
    • Manager or incident commander approval for sensitive access
    • Security review for data export, production DB access

Define these policies first; they will drive how you structure roles and groups.

Step 2: Integrate Your IDP and Map Groups

Strong authentication and centralized identity are prerequisites for secure RBAC and JIT.

  1. Connect your IDP (Gsuite, O365, etc.)

    • Configure SSO in DuploCloud with SAML/OIDC
    • Ensure MFA is enforced at the IDP level, especially for groups that can access production

  2. Create security groups in the IDP
    Common examples:

    • duplo-platform-admins
    • duplo-prod-readonly
    • duplo-prod-ops
    • duplo-prod-breakglass

  3. Map IDP groups to DuploCloud roles

    • Assign global and tenant‑scoped roles to each group
    • Use minimal access by default; treat production permissions as exceptions

This structure lets you implement JIT access by controlling membership in these IDP groups via your IT/Access Management process or automated workflows.

Step 3: Configure Baseline Production RBAC

Start with baseline, always‑on permissions that are safe and necessary.

3.1 Separate Production Tenants

  • Create dedicated tenants for production workloads
  • Confirm network segmentation rules and security controls are in place
  • Avoid mixing non‑production resources with production in a single tenant

3.2 Baseline Roles for Production

Typical baseline setup:

  • Platform / SRE Team

    • Tenant: production tenant(s)
    • Role: prod-ops (custom or built on an existing admin-like role)
    • Permissions: deploy services, manage infrastructure, view logs/metrics, but limit destructive operations where possible

  • Developers

    • Tenant: production tenant(s)
    • Role: prod-readonly
    • Permissions: read logs, metrics, and configurations, but no changes to infrastructure or live data

  • Security / Compliance

    • Tenant: production tenant(s)
    • Role: prod-audit (custom)
    • Permissions: read logs, configuration, security settings; export reports, but no ability to change runtime configuration

Step 4: Design Custom Roles (Advanced/Scale)

Advanced and Scale tiers typically require tailored roles to meet enterprise policies, SOC 2 controls, and domain-specific requirements.

4.1 Identify Permission Scopes

Think about permissions by the type of action:

  • Infrastructure Management

    • Create/delete tenants
    • Manage VPCs, subnets, security groups
    • Configure networking and load balancers

  • Application Operations

    • Deploy and roll back services
    • Scale services, restart pods/containers
    • Manage CI/CD pipelines and release gates

  • Observability

    • View logs, metrics, traces
    • Configure alerts, dashboards

  • Data and Secrets

    • Read/write access to secrets (e.g., KMS, secret managers)
    • Access to production databases and object storage

4.2 Create Custom Roles for Common Personas

Examples of custom roles:

  • Production Read‑Only (dev and audit)

    • view_tenant_resources
    • view_services
    • view_logs
    • view_metrics
    • No modify_* or delete_* privileges

  • Production Operator

    • Includes all from read‑only
    • deploy_service
    • restart_service
    • scale_service
    • Can manage configs and CI/CD triggers, but cannot adjust core network or security policies

  • Security Auditor

    • view_security_config
    • view_access_logs
    • view_compliance_reports
    • Download/report permissions without ability to alter security settings

  • Break‑Glass Admin (JIT Only)

    • Broad set of permissions for incident response
    • Restricted to JIT workflows, never permanent

Use DuploCloud’s role editor (UI or API) to assemble these permissions into reusable, named roles.

Step 5: Implement Just‑In‑Time Access for Production

With roles established, you can build a JIT access model that is secure and auditable.

5.1 Choose Your JIT Pattern

Common patterns:

  1. IDP Group‑Based JIT

    • Users request access (via ticket, Slack bot, or internal portal)
    • Upon approval, they are added temporarily to a production access group (e.g., duplo-prod-ops)
    • A scheduled job or automation removes them after a set duration

  2. DuploCloud Time‑Bound Role Assignment

    • Use DuploCloud’s APIs or custom agents to attach a role to a user or group for a limited time
    • Event‑driven automation revokes it when time expires

  3. Hybrid Model

    • IDP group membership + DuploCloud role scoping + internal approval workflows

Advanced/Scale customers can leverage event‑driven automation and custom agents to orchestrate these flows cleanly.

5.2 Define JIT Use Cases

Examples:

  • Incident Response

    • On‑call engineer requests prod-ops JIT access
    • Automatically approved if they are the active on‑call
    • Access auto‑expires after 2–4 hours

  • Production Data Access

    • Developer requests prod-db-read role to investigate data issue
    • Requires manager + security approval
    • Access time‑boxed and fully logged

  • Break‑Glass Scenario

    • Critical incident where normal workflows are failing
    • Senior engineer or incident commander can request prod-breakglass role
    • Short duration (e.g., 60–120 minutes)
    • Immediate post‑incident review of actions taken

5.3 Automate Grant and Revoke

Using DuploCloud’s event‑driven automation and custom agent capabilities:

  1. Trigger

    • Access request is approved in your ITSM tool, chat‑ops bot, or custom portal.

  2. Grant Access

    • Automation calls DuploCloud API:
      • Assigns the relevant role to a user or group within the production tenant
      • Optionally tags the session with a ticket/incident ID

  3. Set Expiry

    • Create a scheduled event or use a custom agent to track expiry times
    • On expiry, automatically:
      • Remove role assignment in DuploCloud
      • Optionally remove IDP group membership

  4. Audit Logging

    • Log:
      • Who requested access
      • Who approved
      • What role and for how long
      • What actions were performed during the window

This level of automation reduces manual errors and aligns well with SOC 2 and similar frameworks.

Step 6: Align With Compliance and Security Requirements

DuploCloud is built to support compliance by default, including SOC 2, HIPAA, PCI‑DSS, ISO 27001, and GDPR. For production RBAC and JIT access:

  • Access Control (SOC 2, ISO 27001)
    DuploCloud’s tenant-level access controls, IDP integration, and RBAC system help enforce logical access controls, MFA, and least privilege.

  • Monitoring and Auditability
    Ensure all role assignments, especially JIT and break‑glass access, are logged for audit. Connect these logs into your SIEM or central logging solution.

  • Segregation of Duties
    Use custom roles to keep deployment, security configuration, and data access separated where required by policy.

DuploCloud’s automation and built‑in guardrails help reduce manual misconfigurations and keep your compliance posture strong, even as teams move quickly.

Step 7: Operational Best Practices for Production Access

To keep production secure, treat RBAC and JIT as living systems, not one‑time setups.

  • Review Roles Regularly

    • Quarterly or after major changes, review all custom roles and permissions
    • Remove unnecessary privileges and deprecated roles

  • User Access Reviews

    • Run periodic (e.g., quarterly) access reviews for all users in production roles
    • Validate against org charts, responsibilities, and current projects

  • Standard Playbooks

    • Document standard playbooks for:
      • How to request JIT access
      • When to use break‑glass access
      • How to roll back or revoke access

  • Train Your Teams

    • Educate engineers on why JIT access exists and how to use it
    • Make the secure path the easiest path with automation and clear docs

  • Test Your JIT Flows

    • Perform regular fire‑drills:
      • Simulate an incident
      • Walk through the full JIT access process
      • Verify logs and alerts are generated as expected

Putting It All Together

Configuring DuploCloud RBAC and just‑in‑time access for production on Advanced/Scale plans comes down to:

  1. Using tenants as strong security and compliance boundaries
  2. Integrating with your IDP for identity, MFA, and group‑based control
  3. Defining clear, least‑privilege custom roles aligned to real personas
  4. Implementing JIT workflows for temporary, audited elevation
  5. Leveraging DuploCloud’s automation and custom agents to grant/revoke access reliably
  6. Continuously reviewing and tightening access as your organization and architecture evolve

With these patterns in place, you can give developers self‑service and speed while keeping production locked down and compliant by default.

Back to AIOps & SRE Automation

Keep Reading

More from AIOps & SRE Automation

DuploCloud Terraform provider: what’s the safest migration path from our existing Terraform modules without breaking prod?

Read more

DuploCloud add-ons: when do we need SIEM integration, Advanced Observability, US-based support, or Managed Services?

Read more

Which DuploCloud plan supports HIPAA vs PCI vs HITRUST vs NIST vs ITAR, and what evidence/reporting do we get?

Read more