Authorization is the main interface in Admin Essentials for administering and viewing users, groups, and roles. Your permissions determine which views, features, and interactions are available in the UI.
There are two ways to access Authorization: from the Itential Platform home page, navigate to Admin Essentials → Quick Start → Authorization; or click Authorization in the left sidebar to open the accordion menu.
If you have Cisco NSO and want to use the NSO External Authentication script, you need network connectivity between the two (typically port 3000). For more information, see the NSO Network Adapter Integration guide.
A user is an entity that comes from an external AAA system such as LDAP. All operations within Itential Platform are associated with a user. Itential Platform lets you assign roles directly to users, and administrators can manage user membership through groups. Users may be members of any number of groups and, through group membership, may be assigned any number of roles.
User roles, whether directly assigned or inherited from a group, determine what the user can see and do within Itential Platform. The final permission set of a user is a combination of permissions granted to all roles assigned to the user and to any groups of which the user is a member.
Because users are accounts from an external system, Itential Platform creates a user record when someone has successfully logged in using their AAA system credentials.
To view the Authorization → Users table, you must have permission for the authorization.getAccounts method. This allows you to access the page, view the list of users, and see their login status.
The indicator circles under the Active column header denote the login status of each user:
Active Login Session Management became available in release 2023.2 and later. Earlier releases don’t support viewing active login sessions.
Filter the Users table by login status using the popover menu in the top-right. Click the vertical ellipsis (⋮) to display two filter toggles: Show Active Users Only and Show Deactivated Users.
There are two ways to assign users to Roles: directly, or by group membership.
To assign Roles directly to a user:
Locate the user you want to assign. You can filter the user list by typing in the username column header search box.
Roles assigned by groups are grayed out (disabled), indicating the assignment is inherited.
The external AAA system manages external group memberships; they can’t be edited in Itential Platform. You can only add or remove users from Itential Platform groups within Authorization.
To change the Groups to which a user belongs:
AAA-managed group memberships will be grayed out (disabled), indicating the membership is not editable in Itential Platform.
Administrators can force users to log out from the Authorization interface. Administrators must have permission for the Authorization.forceLogout method.
Select users using the checkboxes, then click Log Out at the top.
An Itential Platform Group is an account created within Itential Platform. Users are assigned to Itential Platform groups through Authorization, but are assigned to external groups through the external AAA system. An external group comes from an external AAA system such as LDAP and can’t be created within Itential Platform.
If User1 is a member of Group1 and starts a job, and User2 is not a member of Group1, then User2 will not be able to see the job.
External groups can’t be created within Itential Platform. Itential Platform creates the external group record after learning it from the AAA system.
Groups are assigned to roles in two ways: directly, or by membership in another group.
To assign roles directly to a group in Itential Platform:
Locate the group you want to assign to a role. You can filter the list by typing in the Name column header search box.
Click the eye icon at the end of the table row to open the View Group dialog. The Roles tab displays by default.
Roles assigned by other groups are grayed out (disabled), indicating the assignment is inherited.
Itential Platform groups and external groups can be given membership to an Itential Platform group; however, neither can be given membership to an external group.
Select the Members tab in the Edit Group modal to see the users who are direct members of the group. Inherited memberships aren’t indicated.
A role is a set of permissions assigned to users and groups that grants access to one or more endpoints. Roles are predefined in the pronghorn.json file for each application and assigned to methods and views with the roles property.
The following built-in roles come with Itential Platform with ready-to-use permissions and access levels that define what actions users can perform.
These built-in roles can serve as a starting point for custom roles with more precise control. Itential Platform supports custom roles tailored to your organization’s security and business needs.
Endpoints are defined by each application in the Platform. There are two types:
To view endpoints granted to a role:
In addition to built-in roles, administrators can define custom roles for different authorization strategies. Built-in roles are hard-coded in the services and can’t be edited. Users can only use services from their active server profile and can’t add roles for services that aren’t currently running.
Click the plus (+) sign from the top toolbar in Admin Essentials to open the Create dialog.
Type the name of the Custom role in the search bar under the Role column header and select it from the results.
Click the stacked dots menu icon and select Edit. The endpoints for the selected custom role display in the Edit Role modal, with tabs for API Methods and UI Views.
This is a hard delete. Deleting a custom role removes it from all users and groups that have it assigned.
Only custom roles can be deleted.
You can export a list of Users, Groups, and Roles from the Authorization interface to a CSV file. Use the CSV as a reference to track user roles and group memberships.
To use this export feature, you must have permissions to read and write roles on users and groups, and permission to perform the export.
The Clients view lists clients for service accounts. Click a client to open its details page, which shows the Client ID and a timestamp for when the client secret was generated. Use the toggle at the top to enable or disable the service account. Disabled service accounts can’t authenticate.
For security, editing a service account client requires the service-accounts:read and service-accounts:write roles. To grant users the ability to edit service account client permissions, enable these roles in the relevant groups.
Applications that need a point of entry to interact with Itential Platform APIs are created as Service Accounts in Itential Platform. Using OAuth2 protocols over HTTPS, authorization policies and controls are applied to limit what the requesting application is permitted to do and for how long. The client ID identifies the service account and the secret key provides proof of right-to-access. The client ID and secret key may be distributed to one or more service applications.
Using service accounts to encapsulate applications provides a more secure connection to external systems, uses tokenization to limit access to user data, protects credentials by sharing a client token ID instead of user credentials, and lets third-party services make requests on behalf of users without accessing passwords or other sensitive information.
Example service account configuration:
If you leave the Authorization Client Details page and return later via the Clients Collection view (Admin Essentials → Authorization → Clients), the client secret is no longer visible, only the timestamp.
Use the toggle at the top of the Client Details page to enable or disable the service account, then click Save. A message banner confirms the state change. Disabled service accounts can’t authenticate.
To view all service accounts, select Users from the left navigation menu in Admin Essentials, then click the Service Accounts tab. Click the pencil icon to edit a service account’s permissions.
To delete a client, click its name in the Clients list to open the Client Details page. Click the menu button (⋮) in the upper-right corner and select Delete.
From the menu button (⋮) in the upper-right corner of the Client Details view, select Metadata. The metadata drawer shows a Created timestamp and the user who created or last updated the client. Click Close to dismiss.
After creating a service account client, you can use its client_id and client_secret to authenticate Itential Platform API calls in Postman without a username or password.
There are two ways to set this up: using a pre-request script or using a curl command.
In Postman, open the Pre-request Script tab and paste the following script. Replace <platform-host>, <client-id>, and <client-secret> with the values from your service account client.
