For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Open sourceSupportFAQsDocs Home
DocumentationCommand referenceRelease notes
DocumentationCommand referenceRelease notes
  • Itential Automation Gateway
    • Overview
    • Execution engine
    • Concepts
    • Feature comparison
      • Overview
      • View gateway cluster details
      • Monitor cluster health and activity
      • Manage certificates
      • Configure proxy for Gateway Manager connections
      • Access control
    • IAG secret store
    • Inventory Manager
LogoLogo
Open sourceSupportFAQsDocs Home
On this page
  • RBAC Components
  • Built-in roles
  • Resource management roles
  • Service execution role
  • Access control model
  • Permission hierarchy
  • Service access methods
  • Implementation guide
  • Initial setup
  • Implementing least-privilege access
  • Organizational patterns
  • Troubleshoot
  • Gateway access issues
  • Service execution issues
  • Security best practices
Itential Automation GatewayGateway Manager

RBAC in Gateway Manager

Was this page helpful?
Previous

Service groups in Gateway Manager

Next
Built with

Gateway Manager implements a comprehensive Role-Based Access Control (RBAC) system that enables fine-grained permissions management for gateways, services, and administrative functions. This system allows administrators to control user access at multiple levels, from broad gateway access to specific service execution permissions.

RBAC Components

Gateway Manager’s RBAC system operates on a permission-based model with these key components:

  • Users: Individual accounts within the Itential Platform
  • Groups: Collections of users that share common access requirements
  • Roles: Specific permissions that define what actions can be performed
  • Resources: Gateways, services, service groups, and certificates that require access control

Learn more:

  • For detailed information on managing users, groups, and roles in:
    • On-premises Platform deployments, see Authorization.
    • Cloud deployments, see Manage roles and permissions.
  • For detailed information on creating and managing service groups, see Service Groups.

Built-in roles

Gateway Manager provides the following built-in roles:

Resource management roles

Certificates:

  • certificate:create - Upload and create new certificates
  • certificate:read - View certificate details and properties
  • certificate:delete - Remove certificates from Gateway Manager

Gateways:

  • gateway:create - Create new gateway clusters
  • gateway:read - View gateway cluster details and associated services
  • gateway:update - Modify gateway cluster configuration and settings
  • gateway:delete - Remove gateway clusters

Service Groups:

  • service-group:create - Create new service groups within gateways
  • service-group:read - View service group details and membership
  • service-group:update - Modify service group configuration and service assignments
  • service-group:delete - Remove service groups

Service execution role

  • service:run - Execute gateway services during workflow orchestration

Access control model

Permission hierarchy

Gateway access is controlled through group membership and role assignments:

  • Users can only access resources if they belong to a group with the appropriate role
  • The group must be explicitly assigned to the specific resource (gateway or service group)
  • Users with service:run can execute any services they have read access to

Service access methods

  1. Gateway-level access: gateway:read provides access to all services on that gateway
  2. Service group access: Provides granular control by limiting access to specific service subsets

For more information on configuring service groups, see Create a service group.

Implementation guide

Initial setup

Every gateway cluster includes a Default Service Group that:

  • Contains all services discovered on the gateway
  • Inherits all user groups assigned directly to the gateway cluster

Minimum permissions for service execution: Groups need both service:run and gateway:read roles, plus assignment to the gateway cluster.

Implementing least-privilege access

To restrict users to specific services:

  1. Create a user group with the service:run role and add relevant users
  2. Create a service group on the gateway containing only the required services
  3. Assign the user group to the service group (not directly to the gateway)

Result: Users see only the limited service subset and can execute only those services.

For step-by-step procedures, see Create a service group.

Organizational patterns

Team-Based: Create user groups per team, with corresponding service groups for team-specific services on each gateway.

Function-Based: Organize service groups by business function, allowing multiple user groups to access the same functional services.

Troubleshoot

Gateway access issues

Problem: User cannot view a gateway cluster

Solution:

  1. Verify user belongs to a group with gateway:read role
  2. Confirm the group is assigned to the gateway (check “Access” section in Gateway Manager)

Service execution issues

Problem: User cannot run a specific service

Solution:

  1. Verify user belongs to a group with service:run role
  2. Confirm a service group includes the desired service
  3. Ensure the user’s group is assigned to that service group

Security best practices

  • Start minimal: Begin with least privileges and add access as needed
  • Use service groups: Prefer service group assignments over gateway-level access for most users
  • Regular audits: Review user group memberships and role assignments periodically
  • Limit administrators: Restrict gateway creation/deletion permissions to essential personnel
  • Document access: Maintain clear records of role assignments and business justifications