Set Up RBAC

Follow the steps in this tutorial to limit access to features using role-based access control (RBAC).


This documentation applies to NGINX Management Suite Instance Manager 2.1.0 and later.


Overview

Instance Manager RBAC, or Role-Based Access Control, helps you control who has access to Instance Manager resources, what they can do, and what areas they have access to.

Instance Manager RBAC is an authorization system built around three core objects:

  • Roles: A role definition, or role for short, is a collection of permissions for one or more features. A role definition lists the actions that can be performed for each feature: create, read, update, or delete. Instance Manager includes an admin built-in role with full access.
  • Users: A user account is a username with a set of credentials. You can create users directly in Instance Manager, or you can add an external identity provider.
  • Groups: A group is a collection of users. Groups in Instance Manager are used only with external identity providers. Users from an external identity provider can’t be assigned roles directly in Instance Manager, but they inherit roles through group memberships.

Users can, and often will, have multiple roles. When this happens, permissions are additive, that is, the sum of the role assignments. For example, a user with two roles, the first role granting read access to all NGINX instances and one role granting create, update, and delete access to a specific instance, will be able to read all instances and create, update, or delete only the single instance she has permission for.

A feature is a grouping of functionality in Instance Manager.

Note:
The features belonging to API Connectivity Manager are only accessible if that module is installed. Instance Manager should not be used to manage the same configurations as API Connectivity Manager. To avoid configuration issues, only READ permissions should be enabled for the following features: Staged Configs, Instance Groups, and Instance Management. This will ensure that configurations can be viewed only in Instance Manager.

The following table lists the features you can assign roles to:

Module Feature Description
Settings Licensing Allows access to view and manage licenses
Important: New roles require a minimum of READ access for the Licensing feature. Without READ access for Licensing, users will be unable to access pages for which they have been granted permission; instead, the system will return 403 Forbidden errors as licensing errors.
Settings User Management Allows access to view and manage roles, users, and user groups
Instance Manager Analytics Allows access to the analytics endpoints, including metrics, catalogs, and events
Instance Manager Certs Allows access to view and manage certs for NGINX instances
Instance Manager Instance Groups Allows access to view and manage NGINX instance groups
Instance Manager Instance Management Allows access to view and manage NGINX instances
Instance Manager Scan Allows access to scan for NGINX Instances
Instance Manager Staged Configs Allows access to view and manage staged NGINX configurations
Security Monitoring Security Monitoring Allows access to the Security Monitoring dashboard and APIs
API Connectivity Manager API Docs Allows access to view and manage API Docs to be published to Dev Portal
API Connectivity Manager Devportal Setup Allows access to view and manage Dev Portals
API Connectivity Manager Environments Allows access to view and manage Environments
API Connectivity Manager Infra Workspace Allows access to view and manage Infrastructure Workspaces
API Connectivity Manager Proxy Config Allows access to view and manage Proxies
API Connectivity Manager Service Workspace Allows access to view and manage Service Workspaces
API Connectivity Manager Job History Allows access to view and manage Job History

Add Users

To add users and assign roles, take the following steps:

  1. Open the NGINX Management Suite web interface and log in.

  2. Select the Settings (gear) icon in the upper-right corner.

  3. On the left navigation menu, select Users.

  4. Select Create.

  5. On the Create User form, enter information for the user:

    • Username: A unique username to identify the user.
    • Email: The user’s email address.
    • First Name: The user’s first name.
    • Last Name: The user’s last name.
    • Description: (Optional) A brief description of the user.
  6. In the Roles list, select one or more roles to assign to the user. See Create a Role to add roles to the list.

  7. (Required for Basic Auth) If you’re using basic auth, add each user’s username and password to the /etc/nms/nginx/.htpasswd file on the NGINX Management Suite server. See Restricting Access with HTTP Basic Auth for instructions on working with a password file.

Note:
Changes made to a user may take up to 10 minutes to take effect.
See Also:
To automate creating users and groups using the SCIM API, refer to the Provision Users and Groups with SCIM topic for instructions. Requires Instance Manager 2.3 or later.

Create a Role

The default admin user or any user with CREATE permission for the User Management feature can create a role.

To create a role, take the following steps:

  1. Open the NGINX Management Suite web interface and log in.

  2. Select the Settings (gear) icon in the upper-right corner.

  3. On the left navigation menu, select Roles.

  4. Select Create.

  5. On the Create Role form, provide the following details:

    • Name: the name to use for the role
    • Display name: an optional, user-friendly name to show for the role
    • Description: an optional, brief summary of what the role is
  6. To add permissions:

    1. Select Add Permission.
    2. In the Module list, select the module you’re creating a permission for.
    3. In the Feature list, select a feature you’re creating a permission for.
    4. In the Access list, select the access level you want to grant.
    5. Select Save.
  7. Repeat step 6 to add more permissions for other features.

  8. When you’ve added all the necessary permissions, select Save to create the role.

See Also:
If you use the Security Monitoring module, see the Create Role for Security Monitoring topic for instructions on creating a role for accessing the module’s dashboards and REST API.

Assign Roles

To assign roles, take the following steps:

  1. Open the NGINX Management Suite web interface and log in.
  2. Select the Settings (gear) icon in the upper-right corner.
  3. On the left navigation menu, select Users.
  4. Select a user in the list or select Create to add a new user.
  5. Select Edit User.
  6. In the Roles list, select the one or more roles to assign to the user.
  7. Select Save to update the user.

Create a Group

Important:
Groups are used only with external identity providers configured to use OpenID Connect (OIDC) authentication, following the steps in the Set Up Authentication Guide.

Users from an external identity provider can’t be assigned roles directly in Instance Manager, but they inherit roles through group memberships.

The default admin user or any user with CREATE permission for the User Management feature can create a role.

To create a group, take the following steps:

  1. Open the NGINX Management Suite web interface and log in.

  2. Select the Settings (gear) icon in the upper-right corner.

  3. On the left navigation menu, select User Groups.

  4. Select Create.

  5. On the Create Group form, enter information for the group:

    • Group Name: Required. The name for the group must match the group name in the external identity provider. A group can reference only a single identity provider.
    • Display Name: A friendly display name for the group.
    • Description: A brief summary of the group.
  6. In the Roles list, select one or more roles to assign to the group.

  7. Select Save to create the group.

See Also:
To automate creating users and groups using the SCIM API, refer to the Provision Users and Groups with SCIM topic for instructions. Requires Instance Manager 2.3 or later.

What’s Next