Create and Manage Roles

Learn how to easily create and manage user roles with NGINX Management Suite to tailor access according to your needs.

Overview

The NGINX Management Suite emphasizes role-based user access control. The suite includes a predefined admin role for initial setup and administration, but it doesn’t stop there. Roles designed specifically for API Owners and Infrastructure Admins, for instance, let organizations finely delineate responsibilities and permissions. If these built-in roles don’t meet your needs, it’s easy to create your own.

Create Roles

Roles within NGINX Management Suite are a critical component of role-based access control (RBAC). By defining roles, you specify access levels and permissions for different user groups that map to groups in your Identity Provider (IdP).

NGINX Management Suite comes pre-configured with an administrator role called admin. Additional roles can be created as needed.

The admin user or any user with CREATE permission for the User Management feature can create a role.

Here’s how to create a role and set its permissions:

  1. In a web browser, go to the FQDN for your NGINX Management Suite host and log in.

  2. Select the Settings (gear) icon in the upper-right corner.

  3. Select Roles from the left navigation menu.

  4. Select Create.

  5. On the Create Role form, provide the following details:

    • Name: The name to use for the role.
    • Display name: An optional, user-friendly name to show for the role.
    • Description: An optional, brief description of what the role is.

  6. To add permissions:

    1. Select Add Permission.

    2. Choose the NGINX Management Suite module you’re creating a permission for from the Module list.

    3. Select the feature you’re granting permission for from the Feature list. To learn more about features, refer to Getting Started with RBAC.

    4. Select Add Additional Access to add a CRUD (Create, Read, Update, Delete) access level.

      • Choose the access level(s) you want to grant from the Access list.

    5. Select Save.

  7. Repeat step 6 if you need to add more permissions for other features.

  8. When you’ve added all the necessary permissions, select Save to create the role.

Example Scenario

Imagine you need to create an “app-developer” role. This role permits users to create and edit applications without allowing them to delete or perform administrative tasks. You would name the role ‘app-developer,’ select one or more features, and grant permissions that align with the requirements of application development, avoiding features and permissions that enable deletion or other administrative functions.

Edit Roles

To modify an existing role in NGINX Management Suite, follow the steps below:

  1. In a web browser, go to the FQDN for your NGINX Management Suite host and log in.

  2. Select the Settings (gear) icon in the upper-right corner.

  3. From the left navigation menu, select Roles.

  4. From the list, select the role you want to update.

  5. Select Edit Role and make changes to any of the editable fields if needed:

    • Display name: an optional, user-friendly name to show for the role
    • Description: an optional, brief summary of what the role is

  6. To add new permissions to the role:

    1. Select Add Permission.

    2. In the Module list, select the module you’re creating a permission for.

    3. In the Feature list, select a feature you’re creating a permission for.

    4. Select Add Additional Access to add a CRUD (Create, Read, Update, Delete) access level.

      • In the Access list, select the access level(s) you want to grant.

    5. Select Save.

  7. To edit an existing permission for the role, select Edit found next to the permission name.

    1. On the Edit Permission form, you can modify the Module, Feature, current Access level or add more access options.

  8. Once you’ve made all your changes, select Save.

Built-In Roles

API Connectivity Manager

API Connectivity Manager comes pre-configured with roles suitable for API Owners and Infrastructure Admins.

  • API Owner: The individuals or teams who are responsible for designing, creating, and maintaining APIs.
  • Infrastructure Admin: Infrastructure Administrators ensure uniform governance across an organization’s infrastructure by setting policies at the infrastructure level, enabling teams to build APIs without interruption while adhering to the organization’s standards.

ACM API Owner

The built-in “ACM API Owner” role grants access to the following features at the workspace level. You can customize these settings if you wish.

Feature Access Scope Description
API Docs Create, Read, Update, Delete Workspace View and manage API documentation published to a Dev Portal.
Dev Portal Setup Create, Read, Update, Delete Workspace Set up and manage Dev Portals.
Hostnames Read Workspace View and manage hostnames for deploying proxies.
Proxy Config Create, Read, Update, Delete Workspace Create and manage proxies.
See Also:
The tutorial Set Up RBAC for API Owners provides an example of how to configure RBAC for API owners.

ACM Infra Admin

The built-in “ACM Infra Admin” role grants access to the following features at the workspace level. You can customize these settings if you wish.

Feature Access Scope Description
Dev Portal Setup Create, Read, Update, Delete Workspace Set up and manage Dev Portals.
Environments Create, Read, Update, Delete Workspace Create, configure, and manage environments.
Proxy Clusters Create, Read, Update, Delete Workspace Create, configure, and manage proxy clusters.
Proxy Config Read Workspace Create and manage proxies.
Service Workspace Read Workspace Customize and manage Service workspaces.
See Also:
The tutorial Set Up RBAC for Infra Admins provides an example of how to configure RBAC for Infrastructure Administrators.

Next Steps

Assign Roles to Users or User Groups

After creating RBAC roles, your next task in configuring RBAC is to assign these roles to the right users or user groups. This step ensures that permissions line up with individual responsibilities within the organization, creating a clear and understandable structure for access control.