Getting Started with RBAC

This document describes role-based access control (RBAC) in NGINX Management Suite, outlining essential concepts and features. It serves as a starting point, linking to additional resources and how-to topics for those looking to set up and manage access controls effectively.

Overview

Role-Based Access Control (RBAC) is a security system that governs access to resources within a software application. By assigning specific roles to users or groups, RBAC ensures that only authorized individuals have the ability to perform certain actions or access particular areas.

The value of RBAC lies in its ability to provide clear and structured control over what users can see and do. This makes it easier to maintain security, streamline user management, and ensure compliance with internal policies or regulations. By giving users only the permissions they need to fulfill their roles, RBAC reduces the risk of unauthorized access and fosters a more efficient and secure operating environment.

The following are essential concepts related to RBAC:

  • Users: Users are individual accounts identified by a username and credentials. You have the option to create users within NGINX Management Suite using basic authentication or to integrate with an external identity provider using OpenID Connect (OIDC).

  • Roles: Roles are sets of permissions linked to one or more features. Each role specifies the actions that are allowed for each feature, such as creating, reading, updating, or deleting. The pre-defined admin role grants full access to all features.

    Users can have multiple roles simultaneously. In such cases, the permissions granted by each role are combined, providing an additive effect. For instance, a user with two roles, one granting read access to all NGINX instances and the other allowing create, update, and delete access to a specific instance, will be able to read all instances while having the ability to create, update, or delete only the designated instance for which they have permission.

  • Groups: Groups are collections of users. They are used only when integrating with external identity providers. Users from these providers can’t be assigned roles directly within NGINX Management Suite but inherit roles through membership in groups.

  • Features: In NGINX Management Suite, features refer to distinct functional components or capabilities that let users perform a variety of tasks and access related resources. The sections below outline the features available for the NGINX Management Suite platform and modules.

  • Resource Object: These are specific elements within a feature that can be targeted for precise access control. Essentially, a resource object is a finer-grained component within a feature that you can control access to. For example, if you are working with the Instance Management feature, you have the option to apply access control to specific entities like Resource Groups and/or Systems. This allows for more nuanced management of permissions within NGINX Management Suite.

Features

The NGINX Management Suite platform and modules have their own set of capabilities called features, listed below. System administrators can decide who can access these features, and how they do so, by defining role-based access control. In the “Next Steps” section at the bottom, you’ll find links to resources for adding users and creating roles.


Note:
The availability of certain features depends on whether a module is licensed. To see the differences between the features you can use with the licensed and unlicensed versions of NGINX Management Suite, please refer to the topic Add a License.

NGINX Management Suite Platform

The NGINX Management Suite platform includes the following features:

Feature Description
NGINX Plus Counting View the number of registered NGINX Plus instances and track Kubernetes usage.
Licensing View and manage licenses.
Resource Groups Create, configure, and manage resource groups
User Management Create, configure, and manage roles, users, and user groups.

Endpoints

Explore the API endpoints for the NGINX Management Suite platform by going to https://<NMS_FQDN>/ui/docs. Replace <NMS_FQDN> with the fully qualified domain name (FQDN) of your NGINX Management Suite host, which is the complete domain name specific to your system.


Instance Manager

Instance Manager includes the following features:

Feature Resource Objects Description
Analytics Not Applicable Grants access to analytics endpoints, including metrics, catalogs, and events.
Certificates Certs, Systems, Resource Groups, Instance Groups View and manage certificates for NGINX instances.
Instance Groups Instance Groups Create, configure, and manage NGINX instance groups.
Instance Management Systems, Resource Groups View and manage NGINX instances.
Scan Not Applicable Permits scanning for NGINX instances.
Security Policies Not Applicable View and manage security policies for NGINX instances. Dependent on Instance Management and Instance Groups for publishing.
Staged Configurations Systems, Resource Groups, Instance Groups Create, configure, and manage staged NGINX configurations.

Endpoints

Explore the API endpoints for Instance Manager by going to https://<NMS_FQDN>/ui/docs. Replace <NMS_FQDN> with the fully qualified domain name (FQDN) of your NGINX Management Suite host, which is the complete domain name specific to your system.


API Connectivity Manager

API Connectivity Manager includes the following features:

Feature Description
API Docs View and manage API documentation published to a Dev Portal.
Dev Portal Setup Set up and manage Dev Portals.
Environments Create, configure, and manage environments.
Hostname View and manage hostnames for deploying proxies.
Infra Workspace Customize and manage Infrastructure workspaces.
Job History View job history for workspaces and Dev Portals.
Proxy Clusters Create, configure, and manage proxy clusters.
Proxy Config Create and manage proxies.
Service Workspace Customize and manage Service workspaces.

Endpoints

Explore the API endpoints for API Connectivity Manager by going to https://<NMS_FQDN>/ui/docs/API-Connectivity-Manager. Replace <NMS_FQDN> with the fully qualified domain name (FQDN) of your NGINX Management Suite host, which is the complete domain name specific to your system.

Built-In Roles

API Connectivity Manager comes pre-configured with roles suitable for API Owners and Infrastructure Admins.

  • API Owner: The individuals or teams who are responsible for designing, creating, and maintaining APIs.
  • Infrastructure Admin: Infrastructure Administrators ensure uniform governance across an organization’s infrastructure by setting policies at the infrastructure level, enabling teams to build APIs without interruption while adhering to the organization’s standards.
ACM API Owner

The built-in “ACM API Owner” role grants access to the following features at the workspace level. You can customize these settings if you wish.

Feature Access Scope Description
API Docs Create, Read, Update, Delete Workspace View and manage API documentation published to a Dev Portal.
Dev Portal Setup Create, Read, Update, Delete Workspace Set up and manage Dev Portals.
Hostnames Read Workspace View and manage hostnames for deploying proxies.
Proxy Config Create, Read, Update, Delete Workspace Create and manage proxies.
See Also:
The tutorial Set Up RBAC for API Owners provides an example of how to configure RBAC for API owners.
ACM Infra Admin

The built-in “ACM Infra Admin” role grants access to the following features at the workspace level. You can customize these settings if you wish.

Feature Access Scope Description
Dev Portal Setup Create, Read, Update, Delete Workspace Set up and manage Dev Portals.
Environments Create, Read, Update, Delete Workspace Create, configure, and manage environments.
Proxy Clusters Create, Read, Update, Delete Workspace Create, configure, and manage proxy clusters.
Proxy Config Read Workspace Create and manage proxies.
Service Workspace Read Workspace Customize and manage Service workspaces.
See Also:
The tutorial Set Up RBAC for Infra Admins provides an example of how to configure RBAC for Infrastructure Administrators.

Next Steps

In the following topics, you’ll learn how to add users and set up authentication methods such as basic authentication and OpenID Connect (OIDC). Once you’ve added users, you can create roles and assign them to individuals or user groups to provide access to specific features.

Add Users and Configure Authentication

Create and Assign Roles