Link Search Menu Expand Document

Role Based Access Control

Orchestrator > Orchestrator Server > Users & Authentication > Role Based Access Control

Role Based Access Control (RBAC) provides a more customized Orchestrator experience. On a per-user basis, you can assign roles that specify access levels for a user, control the menu options available in the Orchestrator UI, and grant or deny access to appliance groups.

Roles

Orchestrator provides a set of default roles. You can create new roles or modify an existing role.

Field Description
Role Name of the role.
Permission Overall access level assigned to the selected role (Read-Only or Read & Write).
Features Orchestrator features available to the selected role.

To add a role:

  1. Click Create Roles. The Roles dialog box opens.

    img

  2. Click Add to create a new role, or click the Edit icon to the left of any existing role.

  3. Enter or modify the role name.

  4. Select a category you want to assign to your user from the following tabs: Monitoring, Configuration, Administration, Orchestrator, Support, or Miscellaneous.

  5. To assign the overall access level for the role, select Read Only or Read & Write.

  6. Select the check box corresponding to the Orchestrator menu options you want to make available to the role.

    NOTE: You can Select All or Unselect All.

  7. Click Save.

Appliance Access

With appliance access groups, you can restrict appliance access to one or more groups or regions. Complete the following steps to customize appliance access.

  1. On the Role Based Access Control tab, click Create Appliance Access Groups. The Appliance Access Group dialog box opens.

    img

  2. Click Add to create a new group, or click the Edit icon to the left of any existing group.

  3. Add or modify the name of the appliance access group.

  4. Choose how you want to add appliances: Select By Groups or Select By Region. You can manually select groups or regions to include, or use the buttons to select or clear all options.

  5. Click Save.

WARNING: A non-RBAC user or an RBAC user with appliance access and no assigned role has access to the Appliance Manager, CLI Session, and Broadcast CLI. An RBAC user with any role assigned is denied access to the Appliance Manager, CLI Session, and Broadcast CLI.

User Appliance Access Roles? Menu Options
Non-RBAC User N/A N/A Appliance Manager, CLI Session, Broadcast CLI
RBAC User Yes None assigned Appliance Manager, CLI Session, Broadcast CLI
RBAC User No Any Appliance Manager, CLI Session, and Broadcast CLI are denied

Assign Roles and Appliance Access

Complete the following steps to assign roles and appliance access.

  1. On the Role Based Access Control tab, click Assign Roles & Appliance Access Groups.

  2. In the User field, enter the name of an existing Orchestrator user.

  3. In the Appliance field, select the name of an existing Appliance Access Group.

  4. Select the check boxes for one or more roles you want to assign to the user.

  5. Click Save.

The following table defines the roles provided by default in Orchestrator (roles are listed alphabetically).

Role Description
ConfigAdmin Backs up and restores appliance configuration and views the configuration history.
Monitor Provides read-only access to all menu items.
OrchestratorAdmin Enables user to perform Orchestrator operations only, such as settings, tools, user management, and Orchestrator upgrades. Appliance operations are not allowed.
SiteAdmin Enables appliance or site-specific operations, such as configuring appliance-specific policies, ACLs, TCAs, SSL certificates, and upgrades. An appliance cannot be removed from the network or perform global SD-WAN functions such as overlay management or Zscaler orchestration.
SiteMonitor Grants read-only permissions equivalent to SiteAdmin.
SiteOperator Enables appliance or site-specific operations such as configuring appliance-specific policies, ACLs, TCAs, and SSL certificates. An appliance cannot be upgraded or removed from the network, or perform global SD-WAN functions such as overlay management or Zscaler orchestration.
SiteUpgradeAdmin Upgrades appliances and removes them from the network.
SuperAdmin Enables full read-write access to all menu items.
Support Enables access to all support operations.

Back to top

© Copyright 2022 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.