Set Up RBAC for API Owners

Overview

This tutorial will show you how to use the Role-Based Access Control (RBAC) features of API Connectivity Manager to give API Owners tailored levels of access to features in F5 NGINX Management Suite. You will learn how to create roles to grant users access to workspaces and features, as well as how to add and assign users to those roles.

Intended Audience

This guide is meant for NGINX Management Suite Administrators who can add users and create and assign roles.

What is RBAC?

RBAC (Role-Based Access Control) is a security framework that provides access control based on roles assigned to users or user groups. This framework defines the roles and responsibilities of users within the system and restricts access to resources according to the user’s role. RBAC ensures only authorized users have access to specific resources and prevents unauthorized access.

Use Case

Jane Smith has joined Acme Co. as an API developer for the Human Resources department. Jane will be working in a Services workspace called “hr-api-services,” and she needs CRUD (Create, Read, Update, and Delete) access for the API Docs, Dev Portal Setup, and Proxy Config features in that workspace.

Workflow

In the steps that follow, we will:

  • Create a role that gives members access to a Services workspace,
  • Add a new user,
  • Assign the user to a Services workspace and the “ACM API Owner” role.

Before You Begin

To complete the instructions in this guide, you need the following:

  • API Connectivity Manager is installed, licensed, and running
  • One or more Service workspaces

Built-In Role

API Connectivity Manager comes pre-configured with an “ACM API Owner” role suitable for API Owners.

  • API Owner: The individuals or teams who are responsible for designing, creating, and maintaining APIs.

ACM API Owner

The built-in “ACM API Owner” role grants access to the following features at the workspace level. You can customize these settings if you wish.

Feature Access Scope Description
API Docs Create, Read, Update, Delete Workspace View and manage API documentation published to a Dev Portal.
Dev Portal Setup Create, Read, Update, Delete Workspace Set up and manage Dev Portals.
Hostnames Read Workspace View and manage hostnames for deploying proxies.
Proxy Config Create, Read, Update, Delete Workspace Create and manage proxies.

Create Custom Roles

In addition to the built-in API Connectivity Manager RBAC roles, you can create custom roles to give users tailored levels of access to workspaces and features.

Example: Create a workspace role

In the following example, we’ll create a role for the “hr-api-services” workspace that grants members READ access by default. Afterward, in the next section, we’ll add a user and assign her the built-in “ACM API Owner” role to grant additional permissions to the workspace.

To create a Services workspace role:

  1. In a web browser, go to the FQDN for your NGINX Management Suite host and log in.

  2. Select the Settings (gear) icon in the upper-right corner.

  3. From the left navigation menu, select Roles.

  4. Select Create.

  5. On the Create Role form, provide the following details:

    • Name: The name to use for the role. In this example, we’ll name the role “hr-api-services”.
    • Display name: An optional, user-friendly name to show for the role.
    • Description: An optional, brief summary of what the role is.

  6. To add permissions:

    1. Select Add Permission.

    2. From the Module list, select API Connectivity Manager.

    3. In the Feature list, select Service Workspace.

    4. Select Add Additional Access to add a CRUD (Create, Read, Update, Delete) access level.

      • In the Access list, select the access level(s) you want to grant. In this example, we’ll select READ.
      • In the Applies to list, select Service-Workspace.
      • In the Select values list, select the workspace you want to apply the access to. In this example, we’ll select, “hr-api-services”.

    5. Select Save.

  7. Select Save.

Add Users

When adding users, you can assign them to roles to grant tailored access levels. Role-based access is cumulative, meaning that if a user is given READ access to a feature in one role and CRUD access in another, they will have CRUD access for that feature.

In this example, we’ll create a user named Jane Smith. We’ll add her as an ACM API Owner in the “hr-api-services” workspace.

To add users, take the following steps:

  1. In a web browser, go to the FQDN for your NGINX Management Suite host and log in.

  2. Select the Settings (gear) icon in the upper-right corner.

  3. On the left menu, select Users.

  4. Select Create.

  5. On the Create User form, enter the details for the user:

    • Username: A unique name to identify the user. For example, “jane-smith”.
    • Email: The user’s email address. For example, “j.smith@acmecorp.com”.
    • First Name: The user’s first name. For example, “Jane”.
    • Last Name: The user’s last name. For example, “Smith”.
    • Description: An optional brief description of the user. For example, “Senior Software Engineer”.

  6. In the Roles list, select one or more roles to assign to the user.

    For example, for our imaginary new hire Jane Smith, select the built-in ACM API Owner role to give her those default permissions. Then select the “hr-api-services” role to assign her to that workspace. Because role-based access is cumulative, Jane, as an ACM API Owner, is granted CRUD access for the API Docs, Dev Portal Setup, and Proxy Config features in the “hr-api-services” workspace, rather than the READ access that’s assigned to members of “hr-api-services” by default.

  7. Select Save.