2021.2 (latest)

Itential Automation Gateway

On this page:

Role Based Authorization

Overview

This guide provides information on configuring and using Role Based Access Control (RBAC) for Itential Automation Gateway (IAG), which entails configuration of roles and groups for users of IAG. RBAC groups are composed of roles and users. A role enables user access to a single or multiple routes. They are auto-generated at the time of server initialization using information provided for each route found in the IAG API documentation. The name of a role is derived using the tag name (i.e., modules, playbooks, nornir, terraform, etc.) defined for a set of routes along with the action categories read, write, exec, and history. Note that multiple routes can fall under a given action category.

Action Categories

These categories specify the actions that the role allows to be performed.

Action Description
read User has access to read API calls.
write User has access to write API calls.
exec User has access to execute API calls.
history User has access to execution history API calls.

Sample Role Names

The following provides a sample list of role names.

  • modules:read
  • playbooks:write
  • terraform:exec
  • nornir:history

Along with roles, RBAC groups contain a set of users. Users that are members of a particular group will have access to the routes defined by the roles that have been configured for the group. Users and roles can be members of multiple groups.

Note: The RBAC group admin is automatically created by the IAG server upon the first boot up of a release with RBAC support. When doing an upgrade from a previous release that does not contain RBAC support, all existing users will automatically be added to the admin group upon first boot up of the server. The admin group contains all roles that are made available by the server. Users that are members of the admin group have access to all available routes.

Create a Group in IAG

To create groups within IAG:

  1. Login to IAG as an administrator (a user with the admin role).
  2. Navigate to Authorization.
  3. Select Groups from the sidenav menu on the left. A list of all defined groups is displayed.
  4. Click on View All Groups and select the plus icon (+) on the top left corner of the page. The Create Group dialog displays.
  5. Enter the new group information, i.e name and description.
  6. Assign appropriate roles to the group.
  7. Click Save to finalize your changes.

Figure 1: Create Group

Create Group

Edit a Group

To edit groups within IAG:

  1. Login to IAG as an administrator (a user with the admin role).
  2. Navigate to Authorization.
  3. Select Groups from the sidenav menu. A list of all defined groups is displayed.
  4. Locate the group in the list. You can filter the list by typing in the Search Groups field.
  5. Select the group in the list to view or edit.
  6. Edit the description, as desired.
  7. Edit roles and members, as desired.
  8. Click Save to finalize your changes.

Figure 2: Edit Group Roles

Edit Group Roles

Figure 3: Edit Group Members

Edit Group Members

Delete a Group

Caution: This is a hard delete. Deleting a group will remove the role from all Users and Groups assigned to it.

Only IAG Groups created by end users can be deleted. The admin group cannot be deleted or modified.

  1. Select the group.
  2. Click the Delete button on the top right corner of the page.
  3. Confirm the deletion.

Managing Users

To manage users within IAG:

  1. Login to IAG as Administrator (a user with the admin role).
  2. Navigate to Users.
  3. Locate the user in the list. Optionally, filter the list by typing in the Search Users field and pressing Enter, or click the search icon.
  4. Select the appropriate user from the list to view or edit.
  5. Edit attributes, as desired.
  6. Edit Groups, as desired.
  7. Click Save to finalize your changes.

Figure 4: Users

Users

Figure 5: Edit Users

Edit User Info