End of Sale Notice:
F5 NGINX is announcing the End of Sale (EoS) for NGINX Controller API Management Module, effective January 1, 2024.
F5 maintains generous lifecycle policies that allow customers to continue support and receive product updates. Existing NGINX Controller API- Management customers can continue to use the product past the EoS date. License renewals are not available after September 30, 2024.
See our End of Sale announcement for more details.
End of Sale Notice:
F5 NGINX is announcing the End of Sale (EoS) for NGINX Controller Application Delivery Module, effective January 1, 2024.
F5 maintains generous lifecycle policies that allow customers to continue support and receive product updates. Existing NGINX Controller Application Delivery customers can continue to use the product past the EoS date. License renewals are not available after September 30, 2024.
See our End of Sale announcement for more details.
Using RBAC with the App Security Add-On
How to use Role Based Access Control with App Security.
Role Based Access Control (RBAC) allows you to define permissions for Apps Security resources. With RBAC, you can specify which role has the permissions to create, read (and reference), update, and delete a Security Strategy or a Security Policy. You can then assign roles to specific users so that the users inherit the permissions.
For more information regarding roles, refer to Manage Roles and Role Groups
Permissions for App Security
To enable security, the app component needs to reference a security strategy. The security strategy in turn references a security policy. When using RBAC with App Security, you need to configure permissions for the app component, the security strategy, and the security policy.
Resources that are deeper in the path hierarchy inherit permissions from their parents unless explicitly overwritten. For more information, refer to Manage Roles and Role Groups.
Granting Permissions on App Components
The app component you want to enable WAF for must have WRITE permission. Additionally, all objects referenced by the app component need to have READ permission. In the following example, WRITE permission is given to the app component, and READ permission is given to the gateway and the location referenced by the app component:
{
"path": "/services/environments/env-name/apps/app-name/components/component-name",
"access": "WRITE"
},
{
"path": "/services/environments/env-name/gateways/gateway-name",
"access": "READ"
},
{
"path": "/infrastructure/locations/location-name/",
"access": "READ"
}
Granting Permissions on Security Strategies and Security Policies
A security strategy references a security policy. For more information regarding security strategies and security policies, refer to About App Security.
Deny by Default
Permissions for security strategies and security policies follow the principle of Deny by Default: all access is blocked that has not been expressly permitted. There are a few exceptions:
-
By default, all users have
READpermission for the default strategy (/security/strategy/balanced_default). -
Users do not need permissions to reference a security policy in a security strategy.
Security Strategies
For a role, you can grant FULL, WRITE, READ, or NONE permissions to a security strategy. Each of these options provides the following permissions to the role:
| Permission | What you can do with this permission |
|---|---|
READ |
You can view the settings of the security strategy. You can reference the security strategy for an app component. |
WRITE |
All that READ can do.In addition, you can create or edit the security strategy. |
FULL |
All that WRITE can do.In addition, you can delete the security strategy. |
NONE |
You can view the settings of a security policy. |
Note:
When permissions are set to
NONE:
- You cannot view the settings of the security strategy.
- You cannot reference the security strategy for an app component.
- You cannot create or edit the security strategy.
- You cannot delete the security strategy.
Security Policies
For a role, you can grant FULL, WRITE, READ or NONE permissions to a security policy. Each of these options provides the following permissions for the role:
| Permission | What can you do with this permission |
|---|---|
READ |
You can view the settings of the security policy. |
WRITE |
All that READ can do.In addition, you can create or edit the security policy. |
FULL |
All that WRITE can do.In addition, you can delete the security policy. |
NONE |
No permissions. |
Note:
You don’t need to add permissions to a security policy to reference it in a security strategy.
Restricting Access to the Default Strategy
The default strategy (/security/strategies/balanced_default) is read-only and accessible to all users and roles. To restrict access to the default strategy, create a role and assign NONE as the permission for the default strategy, as shown in the following example:
PUT https://{{host}}/api/v1/platform/roles/defaultStrategy-none
{
"metadata": {
"name": "defaultStrategy-none",
"displayName": "Default Security Strategy - No Access",
"description": "This role deny users access to the Default Security Strategy"
},
"desiredState": {
"permissions": [
{
"path": "/security/strategies/balanced_default",
"access": "NONE"
}
]
}
}
Permissions for Predefined Roles
The following table lists the permissions for NGINX Controller’s predefined roles:
| Predefined Role | Permission | Details |
|---|---|---|
admin |
FULL |
FULL permissions for all security strategies and security policies on all environments. |
user |
WRITE |
WRITE permissions for all security strategies and security policies on all environments. |
guest |
READ |
READ permissions for all security strategies and security policies on all environments. |
RBAC for AppSec Scenario Example
In the following example, we create a role called devops-role that we assign to the user David. This role gives David the permissions he needs to add WAF to the app component checkout-component by referencing the security strategy sensitive-app-strategy.
-
An
adminuser creates the roledevops-role:PUT @ /platform/roles/devops-role{ "metadata": { "name": "devops-role", "displayName": "devops-role", "description": "Role for DevOps" }, "desiredState": { "permissions": [ { "path": "/services/environments/env-name/apps/app-name/components/checkout-component", "access": "WRITE" }, { "path": "/services/environments/env-name/gateways/gateway-name", "access": "READ" }, { "path": "/infrastructure/locations/location-name/", "access": "READ" }, { "path": "/security/strategies/sensitive-app-strategy", "access": "READ" } ] } } -
An
adminuser assigns thedevops-rolerole to a user calledDavid:PATCH @ /platform/users/david@secured-org.com{ "desiredState": { "firstName": "david", "lastName": "david", "email": "david@secured-org.test", "roles": [ { "ref": "/platform/roles/devops-role" } ] }, "metadata": { "name": "david@secured-org.test", "tags": [ "david" ] } } -
The user
Davidenables WAF oncheckout-componentby referencingsensitive-app-strategy:PUT @ /services/environments/env-name/apps/app-name/components/checkout-component{ "metadata": { "name": "checkout-component", "displayName": "checkout-component", "tags": [] }, "desiredState": { "backend": { "ntlmAuthentication": "DISABLED", "preserveHostHeader": "DISABLED", "workloadGroups": { "wg": { "locationRefs": [ { "ref": "/infrastructure/locations/location-name" } ], "loadBalancingMethod": { "type": "ROUND_ROBIN" }, "uris": { "http://192.0.2.0:8080": { "isBackup": false, "isDown": false, "isDrain": false }, "http://192.0.2.1:8080": { "isBackup": false, "isDown": false, "isDrain": false } } } } }, "ingress": { "gatewayRefs": [ { "ref": "/services/environments/env-name/gateways/gateway-name" } ], "uris": { "/checkout": {} }, "clientMaxBodySize": "10m" }, "logging": { "accessLog": { "state": "DISABLED" }, "errorLog": "DISABLED" }, "security": { "strategyRef": { "ref": "/security/strategies/sensitive-app-strategy" }, "waf": { "isEnabled": true } } } }