Getting Started with RBAC
This document describes role-based access control (RBAC) in NGINX Management Suite, outlining essential concepts and features. It serves as a starting point, linking to additional resources and how-to topics for those looking to set up and manage access controls effectively.
Overview
Role-Based Access Control (RBAC) is a security system that governs access to resources within a software application. By assigning specific roles to users or groups, RBAC ensures that only authorized individuals have the ability to perform certain actions or access particular areas.
The value of RBAC lies in its ability to provide clear and structured control over what users can see and do. This makes it easier to maintain security, streamline user management, and ensure compliance with internal policies or regulations. By giving users only the permissions they need to fulfill their roles, RBAC reduces the risk of unauthorized access and fosters a more efficient and secure operating environment.
The following are essential concepts related to RBAC:
-
Users: Users are individual accounts identified by a username and credentials. You have the option to create users within NGINX Management Suite using basic authentication or to integrate with an external identity provider using OpenID Connect (OIDC).
-
Roles: Roles are sets of permissions linked to one or more features. Each role specifies the actions that are allowed for each feature, such as creating, reading, updating, or deleting. The pre-defined
adminrole grants full access to all features.Users can have multiple roles simultaneously. In such cases, the permissions granted by each role are combined, providing an additive effect. For instance, a user with two roles, one granting read access to all NGINX instances and the other allowing create, update, and delete access to a specific instance, will be able to read all instances while having the ability to create, update, or delete only the designated instance for which they have permission.
-
Groups: Groups are collections of users. They are used only when integrating with external identity providers. Users from these providers can’t be assigned roles directly within NGINX Management Suite but inherit roles through membership in groups.
-
Features: In NGINX Management Suite, features refer to distinct functional components or capabilities that let users perform a variety of tasks and access related resources. The sections below outline the features available for the NGINX Management Suite platform and modules.
-
Resource Object: These are specific elements within a feature that can be targeted for precise access control. Essentially, a resource object is a finer-grained component within a feature that you can control access to. For example, if you are working with the Instance Management feature, you have the option to apply access control to specific entities like Resource Groups and/or Systems. This allows for more nuanced management of permissions within NGINX Management Suite.
Features
The NGINX Management Suite platform and modules have their own set of capabilities called features, listed below. System administrators can decide who can access these features, and how they do so, by defining role-based access control. In the “Next Steps” section at the bottom, you’ll find links to resources for adding users and creating roles.
Note:
The availability of certain features depends on whether a module is licensed. To see the differences between the features you can use with the licensed and unlicensed versions of NGINX Management Suite, please refer to the topic Add a License.
NGINX Management Suite Platform
The NGINX Management Suite platform includes the following features:
| Feature | Description |
|---|---|
| NGINX Plus Counting | View the number of registered NGINX Plus instances and track Kubernetes usage. |
| Licensing | View and manage licenses. |
| Resource Groups | Create, configure, and manage resource groups |
| User Management | Create, configure, and manage roles, users, and user groups. |
Endpoints
Explore the API endpoints for the NGINX Management Suite platform by going to https://<NMS_FQDN>/ui/docs. Replace <NMS_FQDN> with the fully qualified domain name (FQDN) of your NGINX Management Suite host, which is the complete domain name specific to your system.
Instance Manager
Instance Manager includes the following features:
| Feature | Resource Objects | Description |
|---|---|---|
| Analytics | Not Applicable | Grants access to analytics endpoints, including metrics, catalogs, and events. |
| Certificates | Certs, Systems, Resource Groups, Instance Groups | View and manage certificates for NGINX instances. |
| Instance Groups | Instance Groups | Create, configure, and manage NGINX instance groups. |
| Instance Management | Systems, Resource Groups | View and manage NGINX instances. |
| Scan | Not Applicable | Permits scanning for NGINX instances. |
| Security Policies | Not Applicable | View and manage security policies for NGINX instances. Dependent on Instance Management and Instance Groups for publishing. |
| Staged Configurations | Systems, Resource Groups, Instance Groups | Create, configure, and manage staged NGINX configurations. |
Endpoints
Explore the API endpoints for Instance Manager by going to https://<NMS_FQDN>/ui/docs. Replace <NMS_FQDN> with the fully qualified domain name (FQDN) of your NGINX Management Suite host, which is the complete domain name specific to your system.
API Connectivity Manager
API Connectivity Manager includes the following features:
| Feature | Description |
|---|---|
| API Docs | View and manage API documentation published to a Dev Portal. |
| Dev Portal Setup | Set up and manage Dev Portals. |
| Environments | Create, configure, and manage environments. |
| Hostname | View and manage hostnames for deploying proxies. |
| Infra Workspace | Customize and manage Infrastructure workspaces. |
| Job History | View job history for workspaces and Dev Portals. |
| Proxy Clusters | Create, configure, and manage proxy clusters. |
| Proxy Config | Create and manage proxies. |
| Service Workspace | Customize and manage Service workspaces. |
Endpoints
Explore the API endpoints for API Connectivity Manager by going to https://<NMS_FQDN>/ui/docs/API-Connectivity-Manager. Replace <NMS_FQDN> with the fully qualified domain name (FQDN) of your NGINX Management Suite host, which is the complete domain name specific to your system.
Built-In Roles
API Connectivity Manager comes pre-configured with roles suitable for API Owners and Infrastructure Admins.
- API Owner: The individuals or teams who are responsible for designing, creating, and maintaining APIs.
- Infrastructure Admin: Infrastructure Administrators ensure uniform governance across an organization’s infrastructure by setting policies at the infrastructure level, enabling teams to build APIs without interruption while adhering to the organization’s standards.
ACM API Owner
The built-in “ACM API Owner” role grants access to the following features at the workspace level. You can customize these settings if you wish.
| Feature | Access | Scope | Description |
|---|---|---|---|
| API Docs | Create, Read, Update, Delete | Workspace | View and manage API documentation published to a Dev Portal. |
| Dev Portal Setup | Create, Read, Update, Delete | Workspace | Set up and manage Dev Portals. |
| Hostnames | Read | Workspace | View and manage hostnames for deploying proxies. |
| Proxy Config | Create, Read, Update, Delete | Workspace | Create and manage proxies. |
See Also:
The tutorial Set Up RBAC for API Owners provides an example of how to configure RBAC for API owners.
ACM Infra Admin
The built-in “ACM Infra Admin” role grants access to the following features at the workspace level. You can customize these settings if you wish.
| Feature | Access | Scope | Description |
|---|---|---|---|
| Dev Portal Setup | Create, Read, Update, Delete | Workspace | Set up and manage Dev Portals. |
| Environments | Create, Read, Update, Delete | Workspace | Create, configure, and manage environments. |
| Proxy Clusters | Create, Read, Update, Delete | Workspace | Create, configure, and manage proxy clusters. |
| Proxy Config | Read | Workspace | Create and manage proxies. |
| Service Workspace | Read | Workspace | Customize and manage Service workspaces. |
See Also:
The tutorial Set Up RBAC for Infra Admins provides an example of how to configure RBAC for Infrastructure Administrators.
App Delivery Manager
App Delivery Manager includes following features:
| Feature | Description |
|---|---|
| Environments | Create, configure, and manage environments. |
| Apps | Create, configure, and manage apps. |
| Gateways | Create, configure, and manage gateways. |
| Sites | Create, configure, and manage sites. |
| TCP-UDP Components | Create, configure, and manage TCP/UDP components. |
| Web Components | Create, configure, and manage web components. |
Endpoints
Explore the API endpoints for App Delivery Manager by going to https://<NMS_FQDN>/ui/docs/App-Delivery-Manager. Replace <NMS_FQDN> with the fully qualified domain name (FQDN) of your NGINX Management Suite host, which is the complete domain name specific to your system.
Security Monitoring
Security Monitoring includes the following features:
| Feature | Description |
|---|---|
| Security Monitoring | Grants access to the Security Monitoring dashboard and APIs. |
Endpoints
Explore the API endpoints for Security Monitoring by going to https://<NMS_FQDN>/ui/docs. Replace <NMS_FQDN> with the fully qualified domain name (FQDN) of your NGINX Management Suite host, which is the complete domain name specific to your system.
Next Steps
In the following topics, you’ll learn how to add users and set up authentication methods such as basic authentication and OpenID Connect (OIDC). Once you’ve added users, you can create roles and assign them to individuals or user groups to provide access to specific features.