Configure role-based access control
Citrix Application Delivery Management (Citrix ADM) provides fine-grained, role based access control (RBAC) with which you can grant access permissions based on the roles of individual users within your enterprise.
In Citrix ADM, all users are added in Citrix Cloud. As the first user of your organization, you must first create an account in Citrix Cloud and then log on to the Citrix ADM GUI with the Citrix Cloud credentials. You are granted the super admin role, and by default, you have all access permissions in Citrix ADM. Later you can create other users in your organization in Citrix Cloud.
Users who are created later and who log on to Citrix ADM as regular users are known as delegated admins. These users, by default, have all the permissions except user administration permissions. However, you can grant specific user administration permissions to these delegated admin users. You can do that by creating appropriate policies and by assigning them to these delegated users. The user administration permissions are at Account > User Administration. For more information on how to assign specific permissions, see How to Assign extra Permissions to Delegated Admin Users.
More information on how to create policies, roles, groups, and how to bind the users to groups is provided in the following sections.
The following example illustrates how RBAC can be achieved in Citrix ADM.
Chris, the ADC group head, is the super administrator of Citrix ADM in his organization. He creates three administrator roles: security administrator, application administrator, and network administrator.
- David, the security admin, must have complete access for SSL Certificate management and monitoring but should have read-only access for system administration operations.
- Steve, an application admin, needs access to only specific applications and only specific configuration templates.
- Greg, a network admin, needs access to system and network administration.
- Chris also must provide RBAC for all users, irrespective of the fact that they are local or a multitenant.
The following image shows the permissions that the administrators and other users have and their roles in the organization.
To provide role based access control to his users, Chris must first add users in Citrix Cloud and only after that he can see the users in Citrix ADM. Chris must create access policies for each of the users depending on their role. Access policies are tightly bound to roles. So, Chris must also create roles, and then he must create groups as roles can be assigned to groups only and not to individual users.
Access is the ability to perform a specific task, such as view, create, modify, or delete a file. Roles are defined according to the authority and responsibility of the users within the enterprise. For example, one user might be allowed to perform all network operations, while another user can observe the traffic flow in applications and help in creating configuration templates.
Roles are determined by policies. After creating policies, you can create roles, bind each role to one or more policies, and assign roles to users. You can also assign roles to groups of users. A group is a collection of users who have permissions in common. For example, users who are managing a particular data center can be assigned to a group. A role is an identity granted to users by adding them to specific groups based on specific conditions. In Citrix ADM, creating roles and policies are specific to the RBAC feature in Citrix ADC. Roles and policies can be easily created, changed, or discontinued as the needs of the enterprise evolve, without having to individually update the privileges for every user.
Roles can be feature based or resource based. For example, consider an SSL/security administrator and an application administrator. An SSL/security administrator must have complete access to SSL Certificate management and monitoring features, but should have read-only access for system administration operations. Application administrators are able to access only the resources within their scope.
Therefore, in your role as Chris, the super admin, perform the following example tasks in Citrix ADM to configure access policies, roles, and user groups for David who is the security admin in your organization.
Configure Users on Citrix ADM
As a super admin, you can create more users by configuring accounts for them in Citrix Cloud and not in Citrix ADM. When the new users are added to Citrix ADM, you can only define their permissions by assigning the appropriate groups to the user.
To add new users in Citrix Cloud:
In Citrix ADM GUI, click the Hamburger icon at the top left, and select Identity and Access Management.
On the Identity and Access Management page, select Administrators tab.
This tab lists the users that are created in Citrix Cloud.
Type the email address of the user that you want to add in Citrix ADM and click Invite.
The user receives an email invite from Citrix Cloud. The user must click the link provided in the email to complete the registration process by providing their full name and password, and later log on to Citrix ADM using their credentials.
As an admin, you see the new user in Citrix ADM Users list only after the user logs on to Citrix ADM.
To Configure Users in Citrix ADM:
In Citrix ADM GUI, navigate to Account > User Administration > Users.
The user is displayed on the Users page.
You can edit the privileges provided to the user by selecting the user and clicking Edit. You can also edit group permissions on Groups page under Settings node.
Your users are added in Citrix ADM from the Citrix Cloud only. Therefore, even though you have admin permissions, you cannot add or delete users in Citrix ADM GUI. You can only edit the group permissions. Users can be added or deleted from Citrix Cloud.
The user details appear on the service GUI only after the user has logged on to the Citrix ADM at least once.
Configure Access Policies on Citrix ADM
Access policies define permissions. A policy can be applied to a user group or to multiple groups by creating roles. Roles are determined by policies. After creating policies, you must create roles, bind each role to one or more policies, and assign roles to user groups. Citrix ADM provides five predefined access policies:
- admin_policy. Grants access to all Citrix ADM nodes. The user has both view and edit permissions, can view all Citrix ADM content, and can perform all edit operations. That is, the user can add, modify, and delete operations on the resources.
- adminExceptSystem_policy. Grants access to users for all nodes in Citrix ADM GUI, except access to the Settings node.
- readonly_policy. Grants read-only permissions. The user can view all content on Citrix ADM but is not authorized to perform any operations.
- appadmin_policy. Grants administrative permissions for accessing the application features in Citrix ADM. A user bound to this policy can add, modify, and delete custom applications, and can enable or disable the services, service groups, and the various virtual servers, such as content switching, cache redirection, and HAProxy virtual servers.
- appreadonly_policy. Grants read-only permission for application features. A user bound to this policy can view the applications, but cannot perform any add, modify, or delete, enable, or disable operations.
Though you cannot edit these predefined policies, you can create your own (user-defined) policies.
Earlier, when you assigned policies to roles and bound the roles to user groups, you can provide permissions for the user groups at node level in Citrix ADM GUI. For example, you might only provide access permissions to the entire Load Balancing node. Your users had permission to access all entity-specific subnodes under Load Balancing node (for example, virtual server, services, and others) or they did not have permission to access any node under Load Balancing.
In Citrix ADM 507.x build and later versions, the access policy management is extended to provide permissions for subnodes as well. Access policy settings can be configured for all subnodes such as virtual servers, services, service groups, and servers.
Currently, you can provide such a granular level access permission only for subnodes under Load Balancing node and also for subnodes under GSLB node.
For example, as an administrator, you might want to give the user an access permission for only to view virtual servers, but not the back end services, service groups, and application servers in Load Balancing node. The users with such a policy assigned to them can access only the virtual servers.
To create user-defined access policies:
In Citrix ADM GUI, navigate to Account > User Administration > Access Policies.
On the Create Access Policies page, in the Policy Name field, enter the name of the policy, and enter the description in the Policy Description field.
The Permissions section lists of all Citrix ADM features, with options for specifying read-only, enable-disable, or edit access.
Click the (+) icon to expand each feature group into multiple features.
Select the permission check box next to the feature name to grant permissions to the users.
View: This option allows the user to view the feature in Citrix ADM.
Enable-Disable: This option is available only for the Network Functions features that allow enable or disable action on Citrix ADM. User can enable or disable the feature. And, user can also perform the Poll Now action.
When you grant the Enable-Disable permission to a user, the View permission is also granted. You cannot deselect this option.
Edit: This option grants the full access to the user. User can modify the feature and its functions.
If you grant the Edit permission, both View and Enable-Disable permissions are granted. You cannot deselect the auto-selected options.
If you select the feature check box, it selects all the permissions for the feature.
Expand Load Balancing and GSLB to view more configuration options.
In the following image, the configuration options of the Load Balancing feature have different permissions:
The View permission is granted to a user for the Virtual Servers feature. User can view the load balancing virtual servers in Citrix ADM. To view virtual servers, navigate to Networks > Network Functions > Load Balancing and select the Virtual Servers tab.
The Enable-Disable permission is granted to a user for the Services feature. This permission also grants the View permission. User can enable or disable the services bound to a load balancing virtual server. Also, user can perform Poll Now action on services. To enable or disable services, navigate to Networks > Network Functions > Load Balancing and select the Services tab.
If a user has the Enable-Disable permission, the enable or disable action on a service is restricted in the following page:
Navigate to Networks > Network Functions.
Select a virtual server and click Configure.
Select the Load Balancing Virtual Server Service Binding page. This page displays an error message if you select Enable or Disable.
The Edit permission is granted to a user for the Service Groups feature. This permission grants the full access where View and Enable-Disable permissions are granted. User can modify the service groups that are bound to a load balancing virtual server. To edit service groups, navigate to Networks > Network Functions > Load Balancing and select the Service Groups tab.
Selecting Edit might internally assign dependent permissions that are not shown as enabled in the Permissions section. For example, when you enable edit permissions for fault management, Citrix ADM internally provides permission for configuring a mail profile or for creating SMTP server setups, so that the user can send the report as a mail.
Configure Roles on Citrix ADM
In Citrix ADM, each role is bound to one or more access policies. You can define one-to-one, one-to-many, and many-to-many relationships between policies and roles. You can bind one role to multiple policies, and you can bind multiple roles to one policy.
For example, a role might be bound to two policies, with one policy defining access permissions for one feature and the other policy defining access permissions for another feature. One policy might grant permission to add Citrix ADC instances in Citrix ADM, and the other policy might grant permission to create and deploy StyleBooks and to configure Citrix ADC instances.
When multiple policies define the edit and read-only permissions for a single feature, the edit permissions have priority over read-only permissions.
Citrix ADM provides five predefined roles:
- admin_role. Has access to all Citrix ADM features. (This role is bound to adminpolicy.)
- adminExceptSystem_role. Has access to the Citrix ADM GUI except for the Settings permissions. (This role is bound to adminExceptSystem_policy)
- readonly_role. Has read-only access. (This role is bound to readonlypolicy.)
- appAdmin_role. Has administrative access to only the application features in Citrix ADM. (This role is bound to appAdminPolicy).
- appReadonly_role. Has read-only access to the application features. (This role is bound to appReadOnlyPolicy.)
Though you cannot edit the predefined roles, you can create your own (user-defined) roles.
To create roles and assign policies to them:
In Citrix ADM GUI, navigate to Account > User Administration > Roles.
On Create Roles page, in the Role Name field, enter the name of the role, and provide the description in the Role Description field (optional.)
In the Policies section, add move one or more policies to the Configured list.
The policies are pre-fixed with a tenant ID (for example, maasdocfour) that is unique to all tenants.
You can create an access policy by clicking New, or you can navigate to Account > User Administration > Access Policies, and create policies.
Configure Groups on Citrix ADM
In Citrix ADM, a group can have both feature-level and resource-level access. For example, one group of users might have access to only selected Citrix ADC instances; another group with only a selected few applications, and so on.
When you create a group, you can assign roles to the group, provide application-level access to the group, and assign users to the group. All users in that group are assigned the same access rights in Citrix ADM.
You can manage a user access in Citrix ADM at the individual level of network function entities. You can dynamically assign specific permissions to the user or group at the entity level.
Citrix ADM treats virtual server, services, service groups, and servers as network function entities.
Virtual server (Applications) - Load Balancing(lb), GSLB, Context Switching (CS), Cache Redirection (CR), Authentication (Auth), and Citrix Gateway (vpn)
- Services - Load balancing and GSLB services
- Service Group - Load balancing and GSLB Service groups
- Servers - Load balancing Servers
To create a group:
In Citrix ADM, navigate to Account > User Administration > Groups.
The Create System Group page is displayed.
In the Group Name field, enter the name of the group.
In the Group Description field, type in a description of your group. Providing a good description helps you to understand the role and function of the group.
In the Roles section, move one or more roles to the Configured list.
The roles are pre-fixed with a tenant ID (for example, maasdocfour) that is unique to all tenants.
In the Available list, you can click New or Edit and create or modify roles.
Alternatively, you can navigate to Accounts > User Administration > Users, and create or modify users.
In the Authorization Settings tab, you can choose resources from the following categories:
- Autoscale Groups
- Configuration Templates
- Domain Names
You might want to select specific resources from the categories to which users can have access.
If you want to select the specific autoscale groups that user can view or manage, perform the following steps:
Clear the All AutoScale Groups check box and click Add AutoScale Groups.
Select the required autoscale groups from the list and click OK.
If you want to select the specific instances that user can view or manage, perform the following steps:
Clear the All Instances check box and click Select Instances.
Select the required instances from the list and click OK.
The Choose Applications list allows you to grant access to a user for the required applications. This list provides you the following options:
All Applications: This option is selected by default. It adds all applications that are present in the Citrix ADM.
All Applications of selected instances: This option appears only if you select instances from the All Instances category. It adds all the applications present on the selected instance.
Specific Applications: This option allows you to add the required applications that you want users to access. Click Add Applications and select the required applications from the list.
Select Individual Entity Type: This option allows you to select specific type of network function entity and corresponding entities.
You can either add individual entities or select all entities under the required entity type to grant access to a user.
The Apply on bound entities also option authorizes the entities that are bound to the selected entity type. For example, if you select an application and select Apply on bound entities also , Citrix ADM authorizes all the entities that are bound to the selected application.
Ensure you have selected only one entity type if you want to authorize bound entities.
You can use regular expressions to search and add the network function entities that meet the regex criteria for the groups. The specified regex expression is persisted in Citrix ADM. To add regular expression, perform the following steps:
Click Add Regular Expression.
Specify the regular expression in the text box.
The following image explains how to use regular expression to add an application when you select the Specific Applications option:
The following image explains how to use regular expression to add network function entities when you choose the Select the Individual Entity Type option:
If you want to add more regular expressions, click the + icon.
The regular expression only matches the server name for the Servers entity type and not the server IP address.
If you select the Apply on bound entities also option for a discovered entity, user can automatically access the entities that are bound to the discovered entity.
The regular expression is stored in the system to update the authorization scope. When the new entities match the regular expression of their entity type, Citrix ADM updates the authorization scope to the new entities.
If you want to select the specific configuration template that user can view or manage, perform the following steps:
Clear the All Configuration templates check box and click Add Configuration Template.
Select the required template from the list and click OK.
If you want to select the specific StyleBook that user can view or manage, perform the following steps:
Clear the All StyleBooks check box and click Add StyleBook to Group.
Select the required StyleBooks from the list and click OK.
You can select the required StyleBooks when you create groups and add users to that group. When your user selects the permitted StyleBook, all dependent StyleBooks are also selected. The config packs of that StyleBook are also included in what the user has access to.
If you want to select the specific domain name that user can view or manage, perform the following steps:
Clear the All Domain Names check box and click Add Domain Name.
Select the required domain names from the list and click OK.
Click Create Group.
In the Assign Users section, select the user in the Available list, and add the user to the Configured list.
You can also add new users by clicking New.
How user access changes based on the authorization scope
When an administrator adds a user to a group that has different access policy settings, the user is mapped to more than one authorization scopes and access policies.
In this case, the ADM grants the user access to applications depending on the specific authorization scope.
Consider a user who is assigned to a group that has two policies Policy-1 and Policy-2.
Policy-1 – View only permission to applications.
Policy-2 – View and Edit permission to applications.
The user can view applications specified in Policy-1. Also, this user can view and edit the applications specified in Policy-2. The edit access to Group-1 applications are restricted as it is not under Group-1 authorization scope.
RBAC is not fully supported by the following Citrix ADM features:
- Analytics - RBAC is not supported fully by the analytics modules. RBAC support is limited to instance level, and it is not applicable at the application level in the Gateway Insight, HDX Insight, and Security Insight analytics modules.
- Example 1: Instance-based RBAC (Supported). An administrator who has been assigned a few instances can see only those instances under HDX Insight > Devices, and only the corresponding virtual servers under HDX Insight > Applications because RBAC is supported at the instance level.
- Example 2: Application based RBAC (Not Supported). An administrator who has been assigned a few applications can see all virtual servers under HDX Insight > Applications but cannot access them, because RBAC is not supported at the applications level.
- StyleBooks – RBAC is not fully supported for StyleBooks.
- Consider a situation where multiple users have access to a single StyleBook but have access permissions for different Citrix ADC instances. Users can create and update config packs on their own instances, but not on other instances as they do not have access to those instances other than their own. But they can still view the config packs and objects created on Citrix ADC instances other than their own.