Give Users Access to Security Monitoring Dashboards

Learn how to grant users access to the NGINX Management Suite Security Monitoring dashboards.

Overview

You can use NGINX Management Suite Security Monitoring to monitor NGINX App Protect WAF instances. The Security Monitoring analytics dashboards and security logs provide protection insights and help you analyze possible threats or identify opportunities to tune your security policies.

By completing the steps in this topic, you will create a role that gives users access to the Security Monitoring module and logs, and assign it to user accounts or groups.

Note:
The recommendations in this guide follow the principle of least privilege and do not grant users access to the Instance Manager module. You can create additional roles with custom modules, features, and permissions to suit your use case.

Before You Begin

Complete the following prerequisites before proceeding with this guide:

  • NGINX Management Suite Security Monitoring is installed and running.

  • Your user account needs to be able to access the User Management settings in NGINX Management Suite. The minimum required role permissions are:

    • Module: Settings
    • Feature: User Management
    • Access: READ, CREATE, UPDATE

  • Review the table below to determine the minimum permissions needed for your use case.

    Module(s) Feature(s) Access Description
    Instance Manager
    Security Monitoring    		 Analytics
    Security Monitoring    		 READ
    READ    		 Read-only access that allows users to view the Security Monitoring dashboards. Users cannot access Instance Manager or Settings.
    Instance Manager
    Security Monitoring
    Settings    		 Analytics
    Security Monitoring
    User Management    		 READ
    READ
    CREATE, READ, UPDATE    		 Allows users to view the Security Monitoring dashboards and manage user accounts and roles.

    Recommended for a “super-user” who is responsible for managing other users’ access to the security dashboards. This permission set does not allow the user to delete user accounts.

Create a Role

Roles within NGINX Management Suite are a critical component of role-based access control (RBAC). By defining roles, you specify access levels and permissions for different user groups that map to groups in your Identity Provider (IdP).

NGINX Management Suite comes pre-configured with an administrator role called admin. Additional roles can be created as needed.

The admin user or any user with CREATE permission for the User Management feature can create a role.

Here’s how to create a role and set its permissions:

  1. In a web browser, go to the FQDN for your NGINX Management Suite host and log in.

  2. Select the Settings (gear) icon in the upper-right corner.

  3. Select Roles from the left navigation menu.

  4. Select Create.

  5. On the Create Role form, provide the following details:

    • Name: The name to use for the role.
    • Display name: An optional, user-friendly name to show for the role.
    • Description: An optional, brief description of what the role is.

  6. To add permissions:

    1. Select Add Permission.

    2. Choose the NGINX Management Suite module you’re creating a permission for from the Module list.

    3. Select the feature you’re granting permission for from the Feature list. To learn more about features, refer to Getting Started with RBAC.

    4. Select Add Additional Access to add a CRUD (Create, Read, Update, Delete) access level.

      • Choose the access level(s) you want to grant from the Access list.

    5. Select Save.

  7. Repeat step 6 if you need to add more permissions for other features.

  8. When you’ve added all the necessary permissions, select Save to create the role.

Example Scenario

Imagine you need to create an “app-developer” role. This role permits users to create and edit applications without allowing them to delete or perform administrative tasks. You would name the role ‘app-developer,’ select one or more features, and grant permissions that align with the requirements of application development, avoiding features and permissions that enable deletion or other administrative functions.

Assign the Role

After you’ve created a role for Security Monitoring, assign the role to one or more users or to a user group.

Assign the Role to Users

To assign roles to a user, take the following steps:

  1. In a web browser, go to the FQDN for your NGINX Management Suite host and log in.
  2. Select the Settings (gear) icon in the upper-right corner.
  3. On the left navigation menu, select Users.
  4. Select a user from the list, then select Edit User.
  5. In the Roles list, select the role(s) that you want to assign to the user.
  6. Select Save.

Assign the Role to User Groups

User Groups require an OIDC identity provider
User groups require an external identity provider configured for OpenID Connect (OIDC) authentication, as described in the Getting Started with OIDC. Users from an external identity provider cannot be assigned roles directly in NGINX Management Suite. Instead, they inherit roles by being members of user groups.

To assign roles to a user group, take the following steps:

  1. In a web browser, go to the FQDN for your NGINX Management Suite host and log in.
  2. Select the Settings (gear) icon in the upper-right corner.
  3. On the left navigation menu, select User Groups.
  4. Select a user group from the list, then select Edit.
  5. In the Roles list, select the role(s) that you want to assign to the user group.
  6. Select Save.