Login
Contents x
RBAC Management
  • 12 Nov 2024
  • Dark
    Light
  • PDF
Contents

RBAC Management

  • Updated on 12 Nov 2024
  • Dark
    Light
  • PDF
Article summary

Role Based Authorization & Access

This articles provides information on Role Based Access Control (RBAC) for Itential Automation Gateway (IAG), which entails configuration of roles and groups for users of IAG. In the context of IAG, a role enables user access to a single route or multiple routes. They are auto-generated at the time of server initialization using information provided for each route found in the IAG API documentation. The name of a role is derived using the tag name (i.e., modules, playbooks, nornir, terraform, etc.) defined for a set of routes along with the action categories read, write, exec, and history. Note that multiple routes can fall under a given action category.

Action Categories

These categories specify the actions that the role allows to be performed.

Action Description
read User has access to read API calls.
write User has access to write API calls.
exec User has access to execute API calls.
history User has access to execution history API calls.

Sample Role Names

The following provides a sample list of role names.

  • modules:read
  • playbooks:write
  • terraform:exec
  • nornir:history

Along with roles, RBAC groups contain a set of users. Users that are members of a particular group will have access to the routes defined by the roles that have been configured for the group. Users and roles can be members of multiple groups.

The RBAC group admin is automatically created by the IAG server upon the first boot up of a release with RBAC support. When doing an upgrade from a previous release that does not contain RBAC support, all existing users will automatically be added to the admin group upon first boot up of the server. The admin group contains all roles that are made available by the server. Users that are members of the admin group have access to all available routes.

Managing Users & Groups in IAG

Groups are used to manage users who need the same permissions or restrictions. A summary of how to create, edit, and delete groups is presented below, along with how to manage user roles and permission sets that control access to areas and features within IAG.

Creating Groups

To create groups within IAG:

  1. Login to IAG as an administrator (a user with the admin role).
  2. Navigate to Authorization.
  3. Select Groups from the sidenav menu on the left. A list of all defined groups is displayed.
  4. Click on View All Groups and select the blue plus icon (+) in the top left corner of the page. The Create Group dialog displays.
  5. Enter the new group information, i.e name and description.
  6. Assign appropriate roles to the group.
  7. Click Save to finalize your changes.

Figure 1: Create Group

01_create_group

Editing Groups

To edit groups within IAG:

  1. Login to IAG as an administrator (a user with the admin role).
  2. Navigate to Authorization.
  3. Select Groups from the sidenav menu. A list of all defined groups is displayed.
  4. Locate the group in the list. You can filter the list by typing in the Search Groups field.
  5. Select the group in the list to view or edit.
  6. Edit the description, as desired.
  7. Edit roles and members, as desired.
  8. Click Save to finalize your changes.

Figure 2: Edit Group Roles

02_edit_group

Figure 3: Edit Group Members

03_group_members

Deleting Groups

Only IAG Groups created by end users can be deleted. The admin group cannot be deleted or modified.

This is a hard delete. Deleting a group will remove the role from all users and groups assigned to it.

  1. Select the group.
  2. Click the blue icon (stacked dots) in the upper-right corner of the page to reveal the Clone and Delete options.
  3. Select Delete. A prompt displays to confirm deletion of the group from the application.
  4. Click Delete.

Editing Users

To edit users within IAG:

  1. Login to IAG as Administrator (a user with the admin role).
  2. Navigate to Users.
  3. Locate the user in the list. Optionally, filter the list by typing in the Search Users field and pressing Enter, or click the search icon.
  4. Select the appropriate user from the list to view or edit.
  5. Edit attributes, as desired.
  6. Edit Groups, as desired.
  7. Click Save to finalize your changes.

Figure 4: Users

04_users

Figure 5: Edit Users

05_user_assign

Adding LDAP Users & Groups

For LDAP users to appear in the Automation Gateway Authorization Users list, you will need to:

  • Manually create each LDAP user; make sure the username matches the LDAP username.
  • Manually create the Groups in Automation Gateway to which the LDAP users will be added.

Groups are added as members to a role, and group members are listed as user members for the role. Therefore, once you have created the LDAP users and LDAP groups manually in Automation Gateway, and assigned all necessary permissions to each group, whenever an LDAP user of the same matching username logs in, that user is automatically added to the Group to which the user is a member and whatever role permissions are assigned to the group.

Was this article helpful?
What's Next
Privacy Policy
Cookie Policy
Terms of Use
EULA
Copyright © 2024 Itential for Developers
Change password!
Changing your password will log you out immediately. Use the new password to log back in.
Change profile
Success!
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
Logout