Skip to main content
All CollectionsTechnical Notes
Creating a Proper Permissions Hierarchy for Operational Technology
Creating a Proper Permissions Hierarchy for Operational Technology

Understand Dispel's permissions hierarchy

Ethan S avatar
Written by Ethan S
Updated over a year ago

When it comes to managing operational technology, creating a proper permissions hierarchy is essential to maintaining security and ensuring that employees have access to the tools and information they need to do their jobs. In this article, we will discuss the logical structure of Dispel's permissions schema and the permissions controls at each tier. We will also cover how users are created and managed, as well as how request access flows work within the Dispel platform. Finally, we will discuss how digital forensics are used to maintain accountability and auditing within the system.

Logical Structure

Dispel’s permissions schema resides within a stacking hierarchy framework where roles and permissions are scoped within their respective tier. Users can belong to or have permissions to multiple tiers simultaneously.

Organization

Organization is the parent level, and are typically tied to the contracting company or business division. For example, the Organization level in our example is the Acme Brewing Co.

Region

A Region is a SD-WAN communications backbone in a geographic region. Regions are therefore both a logical construct in the Dispel dashboard and a physical segmentation. Regions may be scoped to a wider area (e.g., North America), or a smaller zone (e.g., US East). All Regions are physically segmented from one another.

While you can name a Region whatever you want, the actual Region location is dictated by the availability of a public cloud provider in that area. In our example, Acme Brewing Co. might have a plant in Vermont and choose to have a Vermont-Maine Region, but if the nearest data center is in Virginia then that is physically where the Region will function out of.

Facility

A Facility is the physical installation connected into the Region. Here, the Acme Brewing Co. has a Boston Plant making beer in their North American Region.

Most facilities are easy to define: it’s a factory, a power plant, dam, or some other installation. You might also have smaller sub-facilities such as distributed sensors, floodgates, and wind turbines.

Device

Devices are the hardware and software devices inside of a Facility. Often these are HMIs, PLCs, DCS. Fundamentally, control and visibility of what devices people and machines have access to inside of a facility is what the Dispel platform is about.

Permissions

Permissions are scoped within each tier, and each tier enjoys its own permission controls.

Tier

Role

Function

Organization

Admin

Root level administrator role. Can set Organization-wide security settings; administer Regions, Facilities, and Devices; and manage users.

User

Belongs to the Organization and can be added lower tiers. Does not have access to anything automatically.

Regions

Admin

Can administer Region settings, and manage Facilities and Users within the Region.

User

Belongs to the Region. Does not have access to anything automatically.

Facility

Admin

Can administer Facility settings and manage Devices and Users within the Facility.

Access Request Approver

Can approve or deny Access Requests to the Facility.

User

Can have access to Devices in the Facility. Does not have access to anything automatically.

Device

User

Allows access to a device by IP address, port, and protocol.

User Creation

Users may be created in Dispel through the native Privileged Access Management system, or through an integration with a federated identity provider. Dispel supports Okta and Microsoft Active Directory. For more information on how Dispel handles federated authentication, see this article.

Role-Based Access Control: Users & Groups

Dispel allows permissions to be set and scoped down to individual users. It is also common for users to be assigned to a group based on their role in the organization, and their permissions therefore correspond to that role. This principal is commonly known as Role-Based Access Control.

Request Access Flows: Interwoven IT & OT Security Roles

Once a hierarchy and permissions have been established, standardized process flows within the Dispel platform should be used.

Dispel permissions are designed for IT and OT operational workflows. Typically, IT decides which vendors and employees are approved to request access to environments. IT and/or OT may decide which environments (Regions, Facilities, Devices) those users and groups have access to and at what level.

With the Request Access Flow module Administrators can select which users at a Facility-level are allowed to approve access requests. Typically, the approvers are OT plant managers running day-to-day operations.

Immutable Digital Forensics

User and Administrator—including Owner—activities are logged in the dashboard in an immutable state. Logs provide information on user activity, access requests, sessions, and account changes. These provide a clear record of changes made within the system by all users. Digital forensics are preserved for auditing and accountability and cannot be changed or deleted.

Dashboard event logs operate in addition to remote access system logging and session recordings.

Did this answer your question?