RBAC in Gateway Manager
Gateway Manager implements a comprehensive Role-Based Access Control (RBAC) system that enables fine-grained permissions management for gateways, services, and administrative functions. This system allows administrators to control user access at multiple levels, from broad gateway access to specific service execution permissions.
RBAC Components
Gateway Manager’s RBAC system operates on a permission-based model with these key components:
- Users: Individual accounts within the Itential Platform
- Groups: Collections of users that share common access requirements
- Roles: Specific permissions that define what actions can be performed
- Resources: Gateways, services, service groups, and certificates that require access control
Learn more:
- For detailed information on managing users, groups, and roles in:
- On-premises Platform deployments, see Authorization.
- Cloud deployments, see Manage roles and permissions.
- For detailed information on creating and managing service groups, see Service Groups.
Built-in roles
Gateway Manager provides the following built-in roles:
Resource management roles
Certificates:
certificate:create- Upload and create new certificatescertificate:read- View certificate details and propertiescertificate:delete- Remove certificates from Gateway Manager
Gateways:
gateway:create- Create new gateway clustersgateway:read- View gateway cluster details and associated servicesgateway:update- Modify gateway cluster configuration and settingsgateway:delete- Remove gateway clusters
Service Groups:
service-group:create- Create new service groups within gatewaysservice-group:read- View service group details and membershipservice-group:update- Modify service group configuration and service assignmentsservice-group:delete- Remove service groups
Service execution role
service:run- Execute gateway services during workflow orchestration
Access control model
Permission hierarchy
Gateway access is controlled through group membership and role assignments:
- Users can only access resources if they belong to a group with the appropriate role
- The group must be explicitly assigned to the specific resource (gateway or service group)
- Users with
service:runcan execute any services they have read access to
Service access methods
- Gateway-level access:
gateway:readprovides access to all services on that gateway - Service group access: Provides granular control by limiting access to specific service subsets
For more information on configuring service groups, see Create a service group.
Implementation guide
Initial setup
Every gateway cluster includes a Default Service Group that:
- Contains all services discovered on the gateway
- Inherits all user groups assigned directly to the gateway cluster
Minimum permissions for service execution: Groups need both service:run and gateway:read roles, plus assignment to the gateway cluster.
Implementing least-privilege access
To restrict users to specific services:
- Create a user group with the service:run role and add relevant users
- Create a service group on the gateway containing only the required services
- Assign the user group to the service group (not directly to the gateway)
Result: Users see only the limited service subset and can execute only those services.
For step-by-step procedures, see Create a service group.
Organizational patterns
Team-Based: Create user groups per team, with corresponding service groups for team-specific services on each gateway.
Function-Based: Organize service groups by business function, allowing multiple user groups to access the same functional services.
Troubleshoot
Gateway access issues
Problem: User cannot view a gateway cluster
Solution:
- Verify user belongs to a group with gateway:read role
- Confirm the group is assigned to the gateway (check “Access” section in Gateway Manager)
Service execution issues
Problem: User cannot run a specific service
Solution:
- Verify user belongs to a group with service:run role
- Confirm a service group includes the desired service
- Ensure the user’s group is assigned to that service group
Security best practices
- Start minimal: Begin with least privileges and add access as needed
- Use service groups: Prefer service group assignments over gateway-level access for most users
- Regular audits: Review user group memberships and role assignments periodically
- Limit administrators: Restrict gateway creation/deletion permissions to essential personnel
- Document access: Maintain clear records of role assignments and business justifications
