Authorization | Itential

Authorization is the main interface in Admin Essentials for administering and viewing users, groups, and roles. Available views, features, and interactions in the UI are limited based on user permissions.

There are two ways to access Authorization: from the Itential Platform home page, navigate to Admin Essentials → Quick Start → Authorization; or click Authorization in the left sidebar to open the accordion menu.

If you have Cisco NSO and want to use the NSO External Authentication script, network connectivity is required between the two (typically port 3000). For more information, see the NSO Network Adapter Integration guide.

Terminology

Term	Definition
User	An entity that can perform specific actions within multiple Itential Platform applications based on group associations.
Group	A collection of roles that can be assigned to a user.
Role	A collection of granular-level privileges that can be assigned to groups.
Permission	Authorization granted to an API and a specific page view.
Provenance	Refers to the source (origin) of a group. For external groups, this is set to the Itential Platform AAA `adapterId`. For Itential Platform groups, it is not set.

Users

A user is an entity that comes from an external AAA system such as LDAP. All operations within Itential Platform are associated with a user. Itential Platform provides the ability to assign roles directly to users, and administrators can manage user membership through groups. Users may be members of any number of groups and, through group membership, may be assigned any number of roles.

User roles — whether directly assigned or inherited from a group — determine what the user can see and do within Itential Platform. The final permission set of a user is a combination of permissions granted to all roles assigned to the user and to any groups of which the user is a member.

Viewing and filtering users

Because users are accounts from an external system, Itential Platform creates a user record when someone has successfully logged in using their AAA system credentials.

To view the Authorization → Users table, you must have permission for the authorization.getAccounts method. This allows you to access the page, view the list of users, and see their login status.

The indicator circles under the Active column header denote the login status of each user:

Blue: User is currently logged in.
Red: User who is deactivated.
Grey: User who is not logged in.

Active Login Session Management was made available in release versions 2023.2 and higher. The ability to view active login sessions is not available in earlier release versions of Itential Platform.

The Users table can be filtered by login status using the popover menu in the top-right. Click the vertical ellipsis (⋮) to display two filter toggles: Show Active Users Only and Show Deactivated Users.

Configuring role assignments for users

There are two ways to assign users to Roles: directly, or by group membership.

To assign Roles directly to a user:

Locate the user

Locate the user you wish to assign. You can filter the user list by typing in the username column header search box.

Update role assignments

Add or remove role assignments using the checkbox. You can filter the roles list by typing in the Search field.

Close

Click Close when done.

Roles assigned by groups are grayed out (disabled), indicating the assignment is inherited.

Configuring group membership for users

External group memberships for users are managed by the external AAA system and cannot be edited in Itential Platform. A user may only be added to or removed from Itential Platform groups within Authorization.

To change the Groups to which a user belongs:

Open the Groups tab

Click the Groups tab option.

Find the group

Find the group in the list. You can filter the list by typing in the column header textbox.

Update membership

Add or remove group membership using the checkbox.

Close

Click Close when done.

AAA-managed group memberships will be grayed out (disabled), indicating the membership is not editable in Itential Platform.

Forced Logout

Itential allows administrators to forcefully log out all or selected users from the Authorization interface. Admins must have permission for the Authorization.forceLogout method.

Click the checkboxes to select users and then click the Log Out button icon at the top to forcefully log out all selected users.

Groups

An Itential Platform Group is an account created within the Itential Platform system. Users are assigned to Itential Platform groups through Authorization. In contrast, users are assigned to external groups within the external AAA system. An external group is an account that comes from an external AAA system such as LDAP; it cannot be created within Itential Platform.

If User1 is a member of Group1 and starts a job, and User2 is not a member of Group1, then User2 will not be able to see the job.

Assigning groups to roles

External groups cannot be created within Itential Platform. Instead, Itential Platform creates the external group record once it has been learned from the AAA system.

Groups are assigned to roles in two ways: directly, or by membership in another group.

To assign roles directly to a group in Itential Platform:

Navigate to Groups

Select Authorization → Groups from the navbar on the left. A list of defined groups displays.

Locate the group

Locate the group you wish to assign to a role. You can filter the list by typing in the Name column header search box.

Open the View Group dialog

Click the eye icon at the end of the table row to open the View Group dialog. The Roles tab displays by default.

Locate the role

In the Edit Group modal, locate the role you wish to assign. Filter the list by typing in the Name or Source search bar.

Update assignment

Add or remove a role assignment by selecting the checkbox.

Close

Click Close when done.

Roles assigned by other groups are grayed out (disabled), indicating the assignment is inherited.

Assigning group membership

Itential Platform groups and external groups can be given membership to an Itential Platform group; however, neither can be given membership to an external group.

Navigate to Groups

Select Authorization → Groups from the navbar on the left.

Select a group

Locate the group in the list and click the eye icon to open it.

Open the Groups tab

From the Edit Group modal, select the Groups tab.

Update membership

Add or remove group membership by selecting the checkbox.

Close

Click Close when done.

Identifying group members

Open the Members tab

Select the Members tab on the Edit Group modal to display the members list of users that are direct members of a group. There is no indicator for inherited memberships.

Find a member

Locate the member username in the list. You can filter the list by typing in the Search bar.

Close

Click Close when done.

Roles

A role is a bundle of permissions assigned to users and groups, granting permission to access one or more endpoints. Roles are pre-defined in the pronghorn.json file for each application and assigned to methods and views with the roles property.

Built-in roles

The following built-in roles come with Itential Platform, offering a set of ready-to-use permissions and access levels that pre-define what actions users can perform within the Platform.

These built-in roles can serve as a guided framework for users who desire to create custom roles for more precise control. Itential Platform offers the flexibility of custom role access based on your organization’s security and business needs.

Role	Description
admin	Full permission to Itential Platform to configure and manage access control.
apiread	Provides view-only access to API information, but does not allow you to make changes.
apiwrite	Provides access to view API information and make changes.
authorization	Provides access to modify RBAC and control authorization of data.
designer	Grants access to build workflows and automations within Itential Platform’s Lifecycle Manager, Studio, and Operations Manager.
engineering	Grants access to perform engineering-related functions to develop, maintain, and troubleshoot custom applications and adapters.
operations / operator	Can create, manage, and execute Itential Platform automations and related workflow events.
support	Grants access to perform support-related tasks on the system environment.
taskread	Provides view-only access to task information, but does not allow you to make changes.
taskwrite	Provides access to view task information and make changes.

Endpoints

Endpoints are defined by each application in the Platform. There are two types:

Endpoint	Description
API Methods	Represent API endpoints that read or write data.
UI Views	Represent web pages in the browser. A view will typically rely on one or more methods to read/write data.

To view endpoints granted to a role:

Navigate to Roles

Select Roles from the left-side navigation menu. A table list displays with a role for each application installed in the system.

Search or filter

Optionally, type in the search bar to sort/filter by role, application, or description.

View role details

Click the view icon for your desired role to open the View Role modal, which shows all API Methods and UI Views for a role. You can sort and filter using the Method and Source fields.

Custom roles

In addition to built-in roles defined by applications, Itential Platform allows administrators to define custom roles for different authorization strategies. Built-in roles are hard-coded in the services and are not user-editable. Users can only utilize services from their active server profile and cannot add roles for services that are not currently running.

Creating custom roles

Open the Create dialog

Click the plus (+) sign from the top toolbar in Admin Essentials to open the Create dialog.

Select Role

Select Role from the dropdown menu.

Enter name and description

Give the new custom role a unique name (required) and a description (optional).

Assign endpoints

Select the appropriate API endpoints and UI Views in the Edit Role modal, then click Save to finalize your changes. The custom role appears in the Authorization: Roles table view and displays as Custom under the Type column.

Assign Custom Role API endpoints and UI views

Editing custom role permissions

Navigate to Roles

Select Roles from the menu in the left navbar.

Find the custom role

Type the name of the Custom role in the search bar under the Role column header and select it from the results.

Open Edit

Click the stacked dots menu icon and select Edit. The endpoints for the selected custom role display in the Edit Role modal, with tabs for API Methods and UI Views.

Update the role

Update the role name or description if needed. Locate the permissions you would like to grant or remove — filter the list by typing in the search box, then add or remove permitted endpoints by selecting the checkbox.

Save

Click Save to finalize your changes.

Deleting a custom role

This is a hard delete. Deleting a custom role will remove references to the role from all users and groups assigned to it.

Only custom roles may be deleted.

Locate the custom role

Locate the custom role you wish to delete. Filter the list using the filter fields in the column header.

Delete

Click the stacked dots menu icon and click Delete for the role.

Confirm

Confirm the custom role has been deleted from the Roles table view.

Exporting authorization data

You can export a list of Users, Groups, and Roles from the Authorization interface into a CSV-formatted file. The CSV data can be used as a reference list to help track what role a user belongs to and see the groups to which each user belongs.

To utilize this export feature, you must have assigned permissions to read/write roles on user and group entities, and must have assigned permissions to perform the export.

Navigate to Authorization

Navigate to Admin Essentials → Authorization.

Export

Click the export icon. A confirmation dialog displays.

Download

Click the Download button. A CSV-formatted file is downloaded to your system.

Open the file

Go to the location where the CSV file is saved and open it in your spreadsheet application of choice (e.g., Microsoft Excel, Google Sheets, Smartsheet).

Column Header	Description
User ID	Identifier of the user account.
Provenance	The name of the AAA the user comes from.
Username	The unique name of the user account.
First name	The user’s first name.
Email	The email address associated with the user account.
Last Login	The last date and time of login.
Active	A boolean indicating if the user account is active (true/false).
Groups Names	A list of group names to which the user belongs. Each group name includes its provenance.
Roles Names	A list of roles assigned to the user.

Authorization Clients

The Authorization Clients view displays a list of clients for Service Accounts. Click on the Clients name in the list to open the Client Details page, which displays the Client ID and a timestamp identifying the date and time a Client Secret was generated. Use the toggle switch at the top to enable or disable the Service Account. Authentication is not permitted against disabled Service Accounts.

For security reasons, the ability to edit a Service Account client is protected by the service-accounts:read and service-accounts:write Cloud application roles. To grant a user the right to edit client permissions for a Service Account, you must enable these roles in the groups whose users need to create or modify Service Accounts.

Service Accounts

Applications that need a point of entry to interact with Itential Platform APIs are created as Service Accounts in Itential Platform. Using OAuth2 protocols over HTTPS, authorization policies and controls are applied to limit what the requesting application is permitted to do and for how long. The client ID identifies the Service Account and the secret key provides proof of right-to-access. The client ID and secret key may be distributed to one or more Service Applications.

Benefits of encapsulating applications as Service Accounts include providing a more secure way to connect Itential Platform to external systems, using tokenization to give limited access to user data, protecting user data by providing access via client token ID without revealing user credentials, and allowing third-party services to make requests on behalf of a user without accessing passwords or other sensitive information.

Service Account properties

Parameter	Type	Description
name	string	The specific name associated with the Service Account.
description	string	A brief description of the service account for the external system.
client_id	string	Auto-generated by Itential Platform; can be copied by the administrator.
client_secret	string	Auto-generated by Itential Platform; can be copied by the administrator.
grant_type	string	A JSON Web Token (JWT) providing the service application authenticated access to Itential Platform for a set amount of time.

Example Service Account configuration:

1 "accountData" : {
2   "name": "Service Account Hello",
3   "description": "This is a service account",
4   "client_id": "638e17011ba61d5e222a16ab",
5   "client_secret": "94367284-b12a-4858-b6c1-0bb11f1f126b",
6   "grant_type": "xxxxx.yyyyy.zzzzz"
7 }

Service Account APIs

API	Description
`createServiceAccount`	Creates a service account in the Mongo database.
`getServiceAccounts`	Returns the service account based on query parameters, but does not include `clientSecret` in any returned data. This is a one-time value generated once a service account is created and never generated again.
`updateServiceAccount`	Updates the service account `description`.
`deleteServiceAccount`	Deletes the linked service account from the accounts collection.

Error responses

Error Code	Description
400	Unable to authenticate; grant-type unsupported or client secret incorrect.
409	Duplicate service account is not allowed.
415	Unsupported format type for the HTTP method used.
500	Missing parameters; failed to call adapter route for service_name.

Creating a new client for a Service Account

Open the Create dialog

Click the + sign on the toolbar to open the global Create dialog.

Select OAuth Client

Select “OAuth Client” from the dropdown menu list.

Enter details

Input a unique client name and a brief description, if desired.

Save

Click the Save button. The Authorization Client Details page displays with the Client Secret visible so you can copy it to clipboard. A timestamp identifying when the Client Secret was generated is also displayed.

Save the secret

A message to save the client secret displays in bold beneath the timestamp. If the secret is lost, use the Regenerate button to create a new one and invalidate the old one.

If you leave the Authorization Client Details page and later return via the Clients Collection view (Admin Essentials → Authorization → Clients), you will not be able to see the client secret — only the client secret timestamp.

Editing client permissions for Service Accounts

Open Edit Permissions

From the Clients Authorization Details page, click the Edit Permissions button. The Edit User dialog displays.

Assign roles

Select the appropriate user role permissions to assign.

Save

Click the Save button to retain your changes.

Enable/disable clients for Service Accounts

Use the toggle switch at the top of the Client Details page to enable or disable the Service Account. Click the Save button to retain your changes. A message banner informs users when the enable/disable state is activated for the Service Account. Authentication is not permitted against disabled Service Accounts.

Enable (toggle on) Service Account client

Disable (toggle off) Service Account client

Viewing, editing, and deleting Service Accounts

To view all Service Accounts on the system, select Users from the left navigation menu in Admin Essentials and then click the Service Accounts tab. From this table view, you can also click the pencil icon to edit the permissions associated with a Service Account.

To delete a client associated with a Service Account, click the Clients name in the list to open the Client Details page. Then click the menu button (⋮) in the upper-right corner to open the menu dialog and select Delete to remove the client.

Viewing and modifying client metadata for Service Accounts

From the menu button (⋮) in the upper-right corner of the Client Details view, select the Metadata option. In the metadata drawer that opens, you will see a Created field with a date timestamp and the user that created or updated the client. Click Close to dismiss the drawer.