Role Based Access Control
Orchestrator > Orchestrator Server > Users & Authentication > Role Based Access Control
Role Based Access Control (RBAC) provides a more customized Orchestrator experience. On a per-user basis, you can assign roles that specify access levels for a user, control the menu options available in the Orchestrator UI, and grant or deny access to appliance groups. Starting with Orchestrator 9.3.0, RBAC affects both Orchestrator UI users and Orchestrator REST API users.
NOTE: In Orchestrator 9.3.0, endpoint definitions changed for SD-WAN Orchestrator REST APIs. This required users to update endpoint definitions in their Orchestrator REST API scripts. To reduce the magnitude of change required, Orchestrator 9.3.1 provides the ability to enable support for Interop (before Orchestrator 9.3.0 release) API endpoints so you can continue using your existing Orchestrator REST API scripts for a specific list of frequently used commands (see Pre 9.3 API Endpoints).
You should be aware of the following:
-
To enable Interop API support, navigate to Orchestrator > Software & Setup > Setup > Advanced Properties and set the enableLegacyApisSupport property to true.
NOTE: It is recommended that you restart Orchestrator during a maintenance window.
-
RBAC settings affect users accessing the Orchestrator UI as well as the Orchestrator REST APIs, regardless of whether authentication is via login/password (role associated with the user) or via an API key (role associated with the API key).
-
For RBAC users, the RBAC filter will be applied to any Interop Orchestrator REST API calls (for releases before 9.3.0).
NOTE: For non-RBAC users, the RBAC filter is disabled or will not be applied.
-
An API endpoint (rbac/legacyApi) has been introduced to add an Interop API pattern that is not already in the Interop list (see Pre 9.3 API Endpoints. You must test and verify that the pattern in the database does not create issues.
-
REST request performance will be impacted due to increased latency in request filtering and routing of Interop REST APIs. It is recommended that all scripts be modified to adapt to the Orchestrator 9.3 REST API endpoints.
For information about enabling Interop API support, see Orchestrator Advanced Properties. For information about using Interop APIs, see Pre 9.3 API Endpoints.
Roles
Orchestrator provides a set of default roles. You can create new roles or modify an existing role.
Field | Description |
---|---|
Role | Name of the role. |
Permission | Overall access level assigned to the selected role (Read-Only or Read & Write). |
Features | Orchestrator features available to the selected role. |
To add a role:
-
Click Manage RBAC Roles. The RBAC Roles dialog box opens.
-
Click Add to create a new role, or click the Edit icon to the left of any existing role.
-
Enter or modify the role name.
-
Select a category you want to assign to your user from the following tabs: Monitoring, Configuration, Administration, Orchestrator, Support, or Miscellaneous.
-
To assign the overall access level for the role, select Read Only or Read & Write.
-
Select the check box corresponding to the Orchestrator menu options you want to make available to the role.
NOTE: You can Select All or Clear All.
-
Click Save.
Appliance Access
With appliance access groups, you can restrict appliance access to one or more groups or regions. Complete the following steps to customize appliance access.
-
On the Role Based Access Control tab, click Manage Appliance Access Groups. The Appliance Access Groups dialog box opens.
-
Click Add to create a new group, or click the Edit icon to the left of any existing group. The Appliance Access Group dialog box opens.
-
Add or modify the name of the appliance access group.
-
Choose how you want to add appliances: Select Groups or Select Regions. You can manually select groups or regions to include, or use the buttons to select or clear all options.
-
Click Save.
WARNING: A non-RBAC user or an RBAC user with appliance access and no assigned role has access to the Appliance Manager, CLI Session, and Broadcast CLI. An RBAC user with any role assigned is denied access to the Appliance Manager, CLI Session, and Broadcast CLI.
User | Appliance Access | Roles? | Menu Options |
---|---|---|---|
Non-RBAC User | N/A | N/A | Appliance Manager, CLI Session, Broadcast CLI |
RBAC User | Yes | None assigned | Appliance Manager, CLI Session, Broadcast CLI |
RBAC User | No | Any | Appliance Manager, CLI Session, and Broadcast CLI are denied |
Assign Roles and Appliance Access
Complete the following steps to assign roles and appliance access.
-
On the Role Based Access Control tab, click Assign RBAC Roles & Appliance Access Groups.
-
In the User field, enter the name of an existing Orchestrator user.
-
In the Appliance Access Group field, select the name of an existing Appliance Access Group.
-
Select the check boxes for one or more roles you want to assign to the user.
-
Click Save.
The following table defines the roles provided by default in Orchestrator (roles are listed alphabetically).
Role | Description |
---|---|
ConfigAdmin | Backs up and restores appliance configuration and views the configuration history. |
Monitor | Provides read-only access to all menu items. |
OrchestratorAdmin | Enables user to perform Orchestrator operations only, such as settings, tools, user management, and Orchestrator upgrades. Appliance operations are not allowed. |
OverlayAdmin | Enables user to manage SD-WAN overlays. Overlay management cannot be specific to a site or region. This is a global role. |
SiteAdmin | Enables appliance or site-specific operations, such as configuring appliance-specific policies, ACLs, TCAs, SSL certificates, and upgrades. An appliance cannot be removed from the network or perform global SD-WAN functions such as overlay management or Zscaler orchestration. |
SiteMonitor | Grants read-only permissions equivalent to SiteAdmin. |
SiteOperator | Enables appliance or site-specific operations such as configuring appliance-specific policies, ACLs, TCAs, and SSL certificates. An appliance cannot be upgraded or removed from the network, or perform global SD-WAN functions such as overlay management or Zscaler orchestration. |
SiteUpgradeAdmin | Upgrades appliances and removes them from the network. |
SuperAdmin | Enables full read-write access to all menu items. |
Support | Enables access to all support operations. |