Link Search Menu Expand Document

Role Based Access Control

Orchestrator > Orchestrator Server > Users & Authentication > Role Based Access Control

Role Based Access Control (RBAC) provides a more customized Orchestrator experience. On a per-user basis, you can assign roles that specify access levels for a user, control the menu options available in the Orchestrator UI, and grant or deny access to appliance groups. Starting with Orchestrator 9.3.0, RBAC affects both Orchestrator UI users and Orchestrator REST API users.

NOTE: In Orchestrator 9.3.0, endpoint definitions changed for SD-WAN Orchestrator REST APIs. This required users to update endpoint definitions in their Orchestrator REST API scripts. To reduce the magnitude of change required, Orchestrator 9.3.1 provides the ability to enable support for Interop (before Orchestrator 9.3.0 release) API endpoints so you can continue using your existing Orchestrator REST API scripts for a specific list of frequently used commands (see Pre 9.3 API Endpoints).

You should be aware of the following:

  • To enable Interop API support, navigate to Orchestrator > Software & Setup > Setup > Advanced Properties and set the enableLegacyApisSupport property to true.

    NOTE: It is recommended that you restart Orchestrator during a maintenance window.

  • RBAC settings affect users accessing the Orchestrator UI as well as the Orchestrator REST APIs, regardless of whether authentication is via login/password (role associated with the user) or via an API key (role associated with the API key).

  • For RBAC users, the RBAC filter will be applied to any Interop Orchestrator REST API calls (for releases before 9.3.0).

    NOTE: For non-RBAC users, the RBAC filter is disabled or will not be applied.

  • An API endpoint (rbac/legacyApi) has been introduced to add an Interop API pattern that is not already in the Interop list (see Pre 9.3 API Endpoints. You must test and verify that the pattern in the database does not create issues.

  • REST request performance will be impacted due to increased latency in request filtering and routing of Interop REST APIs. It is recommended that all scripts be modified to adapt to the Orchestrator 9.3 REST API endpoints.

For information about enabling Interop API support, see Orchestrator Advanced Properties. For information about using Interop APIs, see Pre 9.3 API Endpoints.

Roles

Orchestrator provides a set of default roles. You can create new roles or modify an existing role.

Field Description
Role Name of the role.
Permission Overall access level assigned to the selected role (Read-Only or Read & Write).
Features Orchestrator features available to the selected role.

To add a role:

  1. Click Manage RBAC Roles. The RBAC Roles dialog box opens.

    img

  2. Click Add to create a new role, or click the Edit icon to the left of any existing role.

  3. Enter or modify the role name.

  4. Select a category you want to assign to your user from the following tabs: Monitoring, Configuration, Administration, Orchestrator, Support, or Miscellaneous.

  5. To assign the overall access level for the role, select Read Only or Read & Write.

  6. Select the check box corresponding to the Orchestrator menu options you want to make available to the role.

    NOTE: You can Select All or Clear All.

  7. Click Save.

Appliance Access

With appliance access groups, you can restrict appliance access to one or more groups or regions. Complete the following steps to customize appliance access.

  1. On the Role Based Access Control tab, click Manage Appliance Access Groups. The Appliance Access Groups dialog box opens.

    img

  2. Click Add to create a new group, or click the Edit icon to the left of any existing group. The Appliance Access Group dialog box opens.

  3. Add or modify the name of the appliance access group.

  4. Choose how you want to add appliances: Select Groups or Select Regions. You can manually select groups or regions to include, or use the buttons to select or clear all options.

  5. Click Save.

WARNING: A non-RBAC user or an RBAC user with appliance access and no assigned role has access to the Appliance Manager, CLI Session, and Broadcast CLI. An RBAC user with any role assigned is denied access to the Appliance Manager, CLI Session, and Broadcast CLI.

User Appliance Access Roles? Menu Options
Non-RBAC User N/A N/A Appliance Manager, CLI Session, Broadcast CLI
RBAC User Yes None assigned Appliance Manager, CLI Session, Broadcast CLI
RBAC User No Any Appliance Manager, CLI Session, and Broadcast CLI are denied

Assign Roles and Appliance Access

Complete the following steps to assign roles and appliance access.

  1. On the Role Based Access Control tab, click Assign RBAC Roles & Appliance Access Groups.

  2. In the User field, enter the name of an existing Orchestrator user.

  3. In the Appliance Access Group field, select the name of an existing Appliance Access Group.

  4. Select the check boxes for one or more roles you want to assign to the user.

  5. Click Save.

The following table defines the roles provided by default in Orchestrator (roles are listed alphabetically).

Role Description
ConfigAdmin Backs up and restores appliance configuration and views the configuration history.
Monitor Provides read-only access to all menu items.
OrchestratorAdmin Enables user to perform Orchestrator operations only, such as settings, tools, user management, and Orchestrator upgrades. Appliance operations are not allowed.
OverlayAdmin Enables user to manage SD-WAN overlays. Overlay management cannot be specific to a site or region. This is a global role.
SiteAdmin Enables appliance or site-specific operations, such as configuring appliance-specific policies, ACLs, TCAs, SSL certificates, and upgrades. An appliance cannot be removed from the network or perform global SD-WAN functions such as overlay management or Zscaler orchestration.
SiteMonitor Grants read-only permissions equivalent to SiteAdmin.
SiteOperator Enables appliance or site-specific operations such as configuring appliance-specific policies, ACLs, TCAs, and SSL certificates. An appliance cannot be upgraded or removed from the network, or perform global SD-WAN functions such as overlay management or Zscaler orchestration.
SiteUpgradeAdmin Upgrades appliances and removes them from the network.
SuperAdmin Enables full read-write access to all menu items.
Support Enables access to all support operations.

Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP.

For third-party trademark acknowledgements, go to Trademark Acknowledgements. All third-party marks are property of their respective owners.

To view the end-user software agreement, go to HPE Aruba Networking EULA.

Open Source Code:

This product includes code licensed under certain open source licenses which require source compliance. The corresponding source for these components is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source code, please check if the code is available in the HPE Software Center at https://myenterpriselicense.hpe.com/cwp-ui/software but, if not, send a written request for specific software version and product for which you want the open source code. Along with the request, please send a check or money order in the amount of US $10.00 to:

Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America