Configure authorization

Authorization is the main interface in Admin Essentials for administering and viewing users, groups, and roles. Your permissions determine which views, features, and interactions are available in the UI.

There are two ways to access Authorization: from the Itential Platform home page, navigate to Admin Essentials → Quick Start → Authorization; or click Authorization in the left sidebar to open the accordion menu.

If you have Cisco NSO and want to use the NSO External Authentication script, you need network connectivity between the two (typically port 3000). For more information, see the NSO Network Adapter Integration guide.

Terminology

Term	Definition
User	An entity that can perform specific actions within multiple Itential Platform applications based on group associations.
Group	A collection of roles that can be assigned to a user.
Role	A collection of granular-level privileges that can be assigned to groups.
Permission	Authorization granted to an API and a specific page view.
Provenance	Refers to the source (origin) of a group. For external groups, this is set to the Itential Platform AAA `adapterId`. For Itential Platform groups, it is not set.

Users

A user is an entity that comes from an external AAA system such as LDAP. All operations within Itential Platform are associated with a user. Itential Platform lets you assign roles directly to users, and administrators can manage user membership through groups. Users may be members of any number of groups and, through group membership, may be assigned any number of roles.

User roles, whether directly assigned or inherited from a group, determine what the user can see and do within Itential Platform. The final permission set of a user is a combination of permissions granted to all roles assigned to the user and to any groups of which the user is a member.

View and filter users

Because users are accounts from an external system, Itential Platform creates a user record when someone has successfully logged in using their AAA system credentials.

To view the Authorization → Users table, you must have permission for the authorization.getAccounts method. This allows you to access the page, view the list of users, and see their login status.

The indicator circles under the Active column header denote the login status of each user:

Blue: User is currently logged in.
Red: User is deactivated.
Grey: User is not logged in.

Active Login Session Management became available in release 2023.2 and later. Earlier releases don’t support viewing active login sessions.

Filter the Users table by login status using the popover menu in the top-right. Click the vertical ellipsis (⋮) to display two filter toggles: Show Active Users Only and Show Deactivated Users.

Configure role assignments for users

There are two ways to assign users to Roles: directly, or by group membership.

To assign Roles directly to a user:

Locate the user

Locate the user you want to assign. You can filter the user list by typing in the username column header search box.

Update role assignments

Add or remove role assignments using the checkbox. You can filter the roles list by typing in the Search field.

Close

Click Close when done.

Roles assigned by groups are grayed out (disabled), indicating the assignment is inherited.

Configure group membership for users

The external AAA system manages external group memberships; they can’t be edited in Itential Platform. You can only add or remove users from Itential Platform groups within Authorization.

To change the Groups to which a user belongs:

Open the Groups tab

Click the Groups tab option.

Find the group

Find the group in the list. You can filter the list by typing in the column header textbox.

Update membership

Add or remove group membership using the checkbox.

Close

Click Close when done.

AAA-managed group memberships will be grayed out (disabled), indicating the membership is not editable in Itential Platform.

Forced Logout

Administrators can force users to log out from the Authorization interface. Administrators must have permission for the Authorization.forceLogout method.

Select users using the checkboxes, then click Log Out at the top.

Groups

An Itential Platform Group is an account created within Itential Platform. Users are assigned to Itential Platform groups through Authorization, but are assigned to external groups through the external AAA system. An external group comes from an external AAA system such as LDAP and can’t be created within Itential Platform.

If User1 is a member of Group1 and starts a job, and User2 is not a member of Group1, then User2 will not be able to see the job.

Assign groups to roles

External groups can’t be created within Itential Platform. Itential Platform creates the external group record after learning it from the AAA system.

Groups are assigned to roles in two ways: directly, or by membership in another group.

To assign roles directly to a group in Itential Platform:

Navigate to Groups

Select Authorization → Groups from the navbar on the left. A list of defined groups displays.

Locate the group

Locate the group you want to assign to a role. You can filter the list by typing in the Name column header search box.

Open the View Group dialog

Click the eye icon at the end of the table row to open the View Group dialog. The Roles tab displays by default.

Locate the role

In the Edit Group modal, locate the role you want to assign. Filter the list by typing in the Name or Source search bar.

Update assignment

Add or remove a role assignment by selecting the checkbox.

Close

Click Close when done.

Roles assigned by other groups are grayed out (disabled), indicating the assignment is inherited.

Assign group membership

Itential Platform groups and external groups can be given membership to an Itential Platform group; however, neither can be given membership to an external group.

Navigate to Groups

Select Authorization → Groups from the navbar on the left.

Select a group

Locate the group in the list and click the eye icon to open it.

Open the Groups tab

From the Edit Group modal, select the Groups tab.

Update membership

Add or remove group membership by selecting the checkbox.

Close

Click Close when done.

Identify group members

Open the Members tab

Select the Members tab in the Edit Group modal to see the users who are direct members of the group. Inherited memberships aren’t indicated.

Find a member

Locate the member username in the list. You can filter the list by typing in the Search bar.

Close

Click Close when done.

Roles

A role is a set of permissions assigned to users and groups that grants access to one or more endpoints. Roles are predefined in the pronghorn.json file for each application and assigned to methods and views with the roles property.

Built-in roles

The following built-in roles come with Itential Platform with ready-to-use permissions and access levels that define what actions users can perform.

These built-in roles can serve as a starting point for custom roles with more precise control. Itential Platform supports custom roles tailored to your organization’s security and business needs.

Role	Description
admin	Full permission to Itential Platform to configure and manage access control.
apiread	Provides view-only access to API information, but does not allow you to make changes.
apiwrite	Provides access to view API information and make changes.
authorization	Provides access to modify RBAC and control authorization of data.
designer	Grants access to build workflows and automations within Itential Platform’s Lifecycle Manager, Studio, and Operations Manager.
engineering	Grants access to perform engineering-related functions to develop, maintain, and troubleshoot custom applications and adapters.
operations / operator	Can create, manage, and execute Itential Platform automations and related workflow events.
support	Grants access to perform support-related tasks on the system environment.
taskread	Provides view-only access to task information, but does not allow you to make changes.
taskwrite	Provides access to view task information and make changes.

Endpoints

Endpoints are defined by each application in the Platform. There are two types:

Endpoint	Description
API Methods	Represent API endpoints that read or write data.
UI Views	Represent web pages in the browser. A view will typically rely on one or more methods to read/write data.

To view endpoints granted to a role:

Navigate to Roles

Select Roles from the left-side navigation menu. A table list displays with a role for each application installed in the system.

Search or filter

Optionally, use the search bar to filter by role, application, or description.

View role details

Click the view icon for your desired role to open the View Role modal, which shows all API Methods and UI Views for a role. You can sort and filter using the Method and Source fields.

Custom roles

In addition to built-in roles, administrators can define custom roles for different authorization strategies. Built-in roles are hard-coded in the services and can’t be edited. Users can only use services from their active server profile and can’t add roles for services that aren’t currently running.

Create a custom role

Open the Create dialog

Click the plus (+) sign from the top toolbar in Admin Essentials to open the Create dialog.

Select Role

Select Role from the dropdown menu.

Enter name and description

Give the new custom role a unique name (required) and a description (optional).

Assign endpoints

Select the appropriate API endpoints and UI views in the Edit Role modal, then click Save. The custom role appears in the Authorization: Roles table view and displays as Custom under the Type column.

Assign Custom Role API endpoints and UI views

Edit custom role permissions

Navigate to Roles

Select Roles from the menu in the left navbar.

Find the custom role

Type the name of the Custom role in the search bar under the Role column header and select it from the results.

Open Edit

Click the stacked dots menu icon and select Edit. The endpoints for the selected custom role display in the Edit Role modal, with tabs for API Methods and UI Views.

Update the role

Update the role name or description if needed. Locate the permissions you want to grant or remove. Filter the list by typing in the search box, then add or remove permitted endpoints by selecting the checkbox.

Save

Click Save to finalize your changes.

Delete a custom role

This is a hard delete. Deleting a custom role removes it from all users and groups that have it assigned.

Only custom roles can be deleted.

Locate the custom role

Locate the custom role you want to delete. Filter the list using the filter fields in the column header.

Delete

Click the stacked dots menu icon and click Delete for the role.

Confirm

Verify that the custom role no longer appears in the Roles table.

Export authorization data

You can export a list of Users, Groups, and Roles from the Authorization interface to a CSV file. Use the CSV as a reference to track user roles and group memberships.

To use this export feature, you must have permissions to read and write roles on users and groups, and permission to perform the export.

Navigate to Authorization

Navigate to Admin Essentials → Authorization.

Export

Click the export icon. A confirmation dialog displays.

Download

Click the Download button. A CSV file downloads to your system.

Open the file

Go to the location where the CSV file is saved and open it in your spreadsheet application of choice (e.g., Microsoft Excel, Google Sheets, Smartsheet).

Column Header	Description
User ID	Identifier of the user account.
Provenance	The name of the AAA the user comes from.
Username	The unique name of the user account.
First name	The user’s first name.
Email	The email address associated with the user account.
Last Login	The last date and time of login.
Active	A boolean indicating if the user account is active (true/false).
Groups Names	A list of group names to which the user belongs. Each group name includes its provenance.
Roles Names	A list of roles assigned to the user.

Service accounts

The Clients view lists clients for service accounts. Click a client to open its details page, which shows the Client ID and a timestamp for when the client secret was generated. Use the toggle at the top to enable or disable the service account. Disabled service accounts can’t authenticate.

For security, editing a service account client requires the service-accounts:read and service-accounts:write roles. To grant users the ability to edit service account client permissions, enable these roles in the relevant groups.

Applications that need a point of entry to interact with Itential Platform APIs are created as Service Accounts in Itential Platform. Using OAuth2 protocols over HTTPS, authorization policies and controls are applied to limit what the requesting application is permitted to do and for how long. The client ID identifies the service account and the secret key provides proof of right-to-access. The client ID and secret key may be distributed to one or more service applications.

Using service accounts to encapsulate applications provides a more secure connection to external systems, uses tokenization to limit access to user data, protects credentials by sharing a client token ID instead of user credentials, and lets third-party services make requests on behalf of users without accessing passwords or other sensitive information.

Service account properties

Parameter	Type	Description
name	string	The specific name associated with the service account.
description	string	A brief description of the service account for the external system.
client_id	string	Auto-generated by Itential Platform; can be copied by the administrator.
client_secret	string	Auto-generated by Itential Platform; can be copied by the administrator.
grant_type	string	A JSON Web Token (JWT) providing the service application authenticated access to Itential Platform for a set amount of time.

Example service account configuration:

1 "accountData" : {
2   "name": "Service Account Hello",
3   "description": "This is a service account",
4   "client_id": "638e17011ba61d5e222a16ab",
5   "client_secret": "94367284-b12a-4858-b6c1-0bb11f1f126b",
6   "grant_type": "xxxxx.yyyyy.zzzzz"
7 }

Service account APIs

API	Description
`createServiceAccount`	Creates a service account in the Mongo database.
`getServiceAccounts`	Returns the service account based on query parameters, but does not include `clientSecret` in any returned data. This is a one-time value generated once a service account is created and never generated again.
`updateServiceAccount`	Updates the service account `description`.
`deleteServiceAccount`	Deletes the linked service account from the accounts collection.

Error responses

Error Code	Description
400	Unable to authenticate; grant-type unsupported or client secret incorrect.
409	Duplicate service account is not allowed.
415	Unsupported format type for the HTTP method used.
500	Missing parameters; failed to call adapter route for service_name.

Create a new client for a service account

Open the Create dialog

Click the + sign on the toolbar to open the global Create dialog.

Select OAuth Client

Select “OAuth Client” from the dropdown menu list.

Enter details

Input a unique client name and a brief description, if desired.

Save

Click Save. The Authorization Client Details page opens with the Client Secret visible for copying. A timestamp shows when the secret was generated.

Save the secret

A bold message reminds you to save the client secret. If you lose the secret, click Regenerate to create a new one; this invalidates the previous secret.

If you leave the Authorization Client Details page and return later via the Clients Collection view (Admin Essentials → Authorization → Clients), the client secret is no longer visible, only the timestamp.

Edit client permissions for service accounts

Open Edit Permissions

From the Clients Authorization Details page, click the Edit Permissions button. The Edit User dialog displays.

Assign roles

Select the appropriate user role permissions to assign.

Save

Click the Save button to retain your changes.

Enable and disable clients for service accounts

Use the toggle at the top of the Client Details page to enable or disable the service account, then click Save. A message banner confirms the state change. Disabled service accounts can’t authenticate.

Enable (toggle on) service account client

Disable (toggle off) service account client

View, edit, and delete service accounts

To view all service accounts, select Users from the left navigation menu in Admin Essentials, then click the Service Accounts tab. Click the pencil icon to edit a service account’s permissions.

To delete a client, click its name in the Clients list to open the Client Details page. Click the menu button (⋮) in the upper-right corner and select Delete.

View and modify client metadata for service accounts

From the menu button (⋮) in the upper-right corner of the Client Details view, select Metadata. The metadata drawer shows a Created timestamp and the user who created or last updated the client. Click Close to dismiss.