Managing roles of users and groups

Assign roles to users and groups to control which sections of the local management interface (LMI) and web services they can access. By default, role-based authorization is disabled on the appliance. To use enable, this function from the LMI to make use of it. With Management Authorization, we can perform the following tasks:

The roles for a user session are determined when a user first logs in. If the authorization configuration is modified and deployed when a user is logged in, the changes take effect immediately. We can customize the default roles to better suit your environment. We can also remove all default roles and create new ones from scratch. If we plan to use the default roles, we must carefully review these roles to ensure they are appropriate for your environment.

The default roles are not updated after an appliance firmware upgrade. If the appliance firmware upgrade introduces new features, existing roles are not updated to include permission for any new features. The default roles can be manually updated in the Management Authorization page. See Step 3 "Editing permissions for a role.

The authorization settings do not affect the main system account admin, which always has read and write permission to all features. The admin account can be used for recovery.

Permissions can be set for all features in the appliance except for the Home: Appliance Dashboard. Any user who can authenticate can view Home: Appliance Dashboard, even if they are not assigned to any roles. To ensure complete flexibility with the role configuration, the permissions for each feature are controlled separately. Some pages in the LMI, such as the Management Authorization page, use multiple features. As a result, users might need permissions for more than one feature to use all of the features on a particular page of the LMI. For example, to access all of the functions on the Management Authorization page, the user needs permissions for the following features:

If a user clicks a link or attempts to complete an action for which they do not have the appropriate permission, an error message is returned. The error message includes the details about which permission is required for the selected action.

When we search for remote LDAP users or groups, consider the following points:


Authorization enforcement

Authorization enforcement applies to the LMI, web services, and client certificate authentication.

A user can be assigned multiple roles. In this case, the user receives the highest cumulative permission from these roles for each feature. For example, if they are assigned two roles and one role has read-permission for a feature but the second role has write-permission for the feature, the user is granted write-permission. The appliance caches authentication details to reduce load on the user registry. The authentication details might be used for up to 10 minutes after they are changed. To disable this caching set the advanced tuning parameter...

A performance penalty is incurred when we use lmi.authCache.baenabled = false because the user registry is queried when:

There is some degradation of performance in environments that make heavy use of the web services API by using Basic Authentication.

  1. Select...

      System > System Settings > Management Authorization > Roles > Enable Authorization Roles (check box)

  2. Follow the prompts to complete the action we want to take. Use the quick filter to retrieve group names, user names, and features.

    Add a role

    1. In the Roles panel on the left, click New.
    2. In the Create New Role window, enter a name for the new role.
    3. Click OK.

    Remove a role

    1. In the Roles panel on the left, select the role to delete.
    2. Click Delete.
    3. In the Removing Role window, verify the role name to delete is correct and then click Yes.

    Assign a role to local groups or users

    1. In the Roles panel on the left, select the role to edit membership for.
    2. In the Role Membership panel on the right, select the Local User Database tab if it is not already selected.
    3. Click Edit above the group name table or the user name table.
    4. In the Edit Local Members window, select or clear the check box on the Groups and Users tabs as needed.
    5. Click OK.

    Assign a role to LDAP groups or users

    1. In the Roles panel on the left, select the role to edit membership for.
    2. In the Role Membership panel on the right, select the Remote LDAP User Registry tab if it is not already selected.
    3. In the Edit Remote LDAP Members window, modify LDAP groups and users on the Groups and Users tabs as needed.
      • To add an LDAP group or user, enter the details in the text field and then click Add.
      • To remove an LDAP group or user, select the entry and then click Delete.
    4. Click OK.

    Editing permissions for a role

    1. In the Roles panel on the left, select the role to edit permissions for.

    2. In the Features panel on the right, select the permission that we want from the drop-down list in each row.

      If we upgrade from a previous version of the appliance, new role membership features are set to None by default. Configure the permissions, if necessary. The displayed features reflect the features that are available in the activated offerings. If we deactivate a product, the features that are specific to that product are removed from any existing roles. If we reactivate the product in the future, these features and the associated permissions are added to the roles again. Any permissions from a prior activation are re-instantiated. If it is the first time the product is activated, the product-specific features are added to each role with no assigned permissions.

    3. Click Save to save the permission settings.

Parent topic: System settings