Getting Started with RBAC
Overview
Role-Based Access Control (RBAC) is a security system that governs access to resources within a software application. By assigning specific roles to users or groups, RBAC ensures that only authorized individuals have the ability to perform certain actions or access particular areas.
The value of RBAC lies in its ability to provide clear and structured control over what users can see and do. This makes it easier to maintain security, streamline user management, and ensure compliance with internal policies or regulations. By giving users only the permissions they need to fulfill their roles, RBAC reduces the risk of unauthorized access and fosters a more efficient and secure operating environment.
The following are essential concepts related to RBAC:
-
Users: Users are individual accounts identified by a username and credentials. You have the option to create users within F5 NGINX Management Suite using basic authentication or to integrate with an external identity provider using OpenID Connect (OIDC).
-
Roles: Roles are sets of permissions linked to one or more features. Each role specifies the actions that are allowed for each feature, such as creating, reading, updating, or deleting. The pre-defined
adminrole grants full access to all features.Users can have multiple roles simultaneously. In such cases, the permissions granted by each role are combined, providing an additive effect. For instance, a user with two roles, one granting read access to all NGINX instances and the other allowing create, update, and delete access to a specific instance, will be able to read all instances while having the ability to create, update, or delete only the designated instance for which they have permission.
-
Groups: Groups are collections of users. They are used only when integrating with external identity providers. Users from these providers can’t be assigned roles directly within NGINX Management Suite but inherit roles through membership in groups.
-
Features: In NGINX Management Suite, features refer to distinct functional components or capabilities that let users perform a variety of tasks and access related resources. The sections below outline the features available for the NGINX Management Suite platform and modules.
-
Resource Object: These are specific elements within a feature that can be targeted for precise access control. Essentially, a resource object is a finer-grained component within a feature that you can control access to. For example, if you are working with the Instance Management feature, you have the option to apply access control to specific entities like Resource Groups and/or Systems. This allows for more nuanced management of permissions within NGINX Management Suite.
Features
The NGINX Management Suite platform and modules have their own set of capabilities called features, listed below. System administrators can decide who can access these features, and how they do so, by defining role-based access control. In the “Next Steps” section at the bottom, you’ll find links to resources for adding users and creating roles.
Note:
The availability of certain features depends on whether a module is licensed. To see the differences between the features you can use with the licensed and unlicensed versions of NGINX Management Suite, please refer to the topic Add a License.
NGINX Management Suite Platform
The NGINX Management Suite platform includes the following features:
| Feature | Description |
|---|---|
| NGINX Plus Counting | View the number of registered NGINX Plus instances and track Kubernetes usage. |
| Licensing | View and manage licenses. |
| Resource Groups | Create, configure, and manage resource groups |
| User Management | Create, configure, and manage roles, users, and user groups. |
Endpoints
Explore the API endpoints for the NGINX Management Suite platform by going to https://<NMS_FQDN>/ui/docs. Replace <NMS_FQDN> with the fully qualified domain name (FQDN) of your NGINX Management Suite host, which is the complete domain name specific to your system.
Instance Manager
Instance Manager includes the following features:
| Feature | Applicable Resource Objects | Description |
|---|---|---|
| Analytics | Not Applicable | Grants access to analytics endpoints, including metrics, catalogs, and events. |
| Certificates | Certs, Instance Groups, Resource Groups, Systems | View and manage certificates for NGINX instances. |
| Instance Groups | Instance Groups | Create, configure, and manage NGINX instance groups. |
| Instance Management | Resource Groups, Systems | View and manage NGINX instances. |
| Scan | Not Applicable | Permits scanning for NGINX instances. |
| Security Policies | Not Applicable | View and manage security policies for NGINX instances. Dependent on Instance Management and Instance Groups for publishing. |
| Staged Configurations | Instance Groups, Resource Groups, Systems | View, create, update, and delete staged NGINX configurations. |
| Templates | Instance Groups, Resource Groups, Systems, Templates | View, create, update, and delete NGINX config templates. |
| Template Submissions | Instance Groups, Resource Groups, Systems, Templates, Template Submissions | View, create, update, and delete NGINX config template submissions. |
Endpoints
Explore the API endpoints for Instance Manager by going to https://<NMS_FQDN>/ui/docs. Replace <NMS_FQDN> with the fully qualified domain name (FQDN) of your NGINX Management Suite host, which is the complete domain name specific to your system.
Next Steps
In the following topics, you’ll learn how to add users and set up authentication methods such as basic authentication and OpenID Connect (OIDC). Once you’ve added users, you can create roles and assign them to individuals or user groups to provide access to specific features.