Configuring role-based access control
Citrix Application Delivery Management (Citrix ADM) provides fine-grained, role based access control (RBAC) with which you can grant access permissions based on the roles of individual users within your enterprise.
In Citrix ADM, all users are added in Citrix cloud. As the first user of your organization, you must first create a new account in Citrix Cloud and then log on to the Citrix ADM GUI with the Citrix cloud credentials. You are granted the super admin role, and by default, you have all access permissions in Citrix ADM. Later you can create other users in your organization in Citrix cloud.
Users who are created later and who log on to Citrix ADM as regular users are known as delegated admins. These users, by default, have read-only permissions. However, you can grant specific user administration permissions to these delegated admin users. You can do that by creating appropriate policies and by assigning them to these delegated users. For more information on how to assign specific permissions, see How to Assign Additional Permissions to Delegated Admin Users.
More information on how to create policies, roles, groups, and how to bind the users to groups is provided in the following sections.
The following example illustrates how RBAC can be achieved in Citrix ADM.
Chris, the ADC group head, is the super administrator of Citrix ADM in his organization. He creates three administrator roles: security administrator, application administrator, and network administrator.
- David, the security admin, must have complete access for SSL Certificate management and monitoring but should have read-only access for system administration operations.
- Steve, an application admin, needs access to only specific applications and only specific configuration templates.
- Greg, a network admin, needs access to system and network administration.
- Chris also must provide RBAC for all users, irrespective of the fact that they are local or a multi-tenant.
The following image shows the permissions that the administrators and other users have and their roles in the organization.
To provide role based access control to his users, Chris must first add users in Citrix cloud and only after that he can see the users in Citrix ADM. Chris must create access policies for each of the users depending on their role. Access policies are tightly bound to roles. So, Chris must also create roles, and then he must create groups as roles can be assigned to groups only and not to individual users.
Access is the ability to perform a specific task, such as view, create, modify, or delete a file. Roles are defined according to the authority and responsibility of the users within the enterprise. For example, one user might be allowed to perform all network operations, while another user can observe the traffic flow in applications and assist in creating configuration templates.
Roles are determined by policies. After creating policies, you can create roles, bind each role to one or more policies, and assign roles to users. You can also assign roles to groups of users. A group is a collection of users who have permissions in common. For example, users who are managing a particular data center can be assigned to a group. A role is an identity granted to users by adding them to specific groups on the basis of specific conditions. In Citrix ADM, creating roles and policies is specific to the RBAC feature in Citrix ADC. Roles and policies can be easily created, changed, or discontinued as the needs of the enterprise evolve, without having to individually update the privileges for every user.
Roles can be feature based or resource based. For example, consider an SSL/security administrator and an application administrator. An SSL/security administrator must have complete access to SSL Certificate management and monitoring features, but should have read-only access for system administration operations. Application administrators should be able to access only the resources within their scope.
Therefore, in your role as Chris, the super admin, perform the following example tasks in Citrix ADM to configure access policies, roles, and user groups for David who is the security admin in your organization.
Configuring Users on Citrix ADM
As a super admin, you can create additional users by configuring accounts for them in Citrix cloud and not in Citrix ADM. When the new users are added to Citrix ADM, you can only define their permissions by assigning the appropriate groups to the user.
To add new users in Citrix Cloud:
In Citrix ADM GUI, click the Hamburger icon at the top left, and select Identity and Access Management.
On the Identity and Access Management page, select Administrators tab.
This tab lists the users that are created in Citrix cloud.
Type the email address of the user that you want to add in Citrix ADM and click Invite.
The user receives an email invite from Citrix cloud. The user must click the link provided in the email to complete the registration process by providing their full name and password, and later log on to Citrix ADM using their credentials.
As an admin, you see the new user in Citrix ADM Users list only after the user logs on to Citrix ADM.
To Configure Users in Citrix ADM:
In Citrix ADM GUI, navigate to Account > User Administration > Users.
The user is displayed on the Users page.
You can edit the privileges provided to the user by selecting the user and clicking Edit. You can also edit group permissions on Groups page under Settings node.
Your users are added in Citrix ADM from the Citrix cloud only. Therefore, even though you have admin permissions, you cannot add or delete users in Citrix ADM GUI. You can only edit the group permissions. Users can be added or deleted from Citrix cloud.
The user details appear on the service GUI only after the user has logged on to the Citrix ADM at least once.
Configuring Access Policies on Citrix ADM
Access policies define permissions. A policy can be applied to a user group or to multiple groups by creating roles. Roles are determined by policies. After creating policies, you must create roles, bind each role to one or more policies, and assign roles to user groups. Citrix ADM provides five predefined access policies:
- admin_policy. Grants access to all Citrix ADM nodes. The user has both view and edit permissions, can view all Citrix ADM content, and can perform all edit operations. That is, the user can perform add, modify, and delete operations on the resources.
- adminExceptSystem_policy. Grants access to users for all nodes in Citrix ADM GUI, except access to the Settings node.
- readonly_policy. Grants read-only permissions. The user can view all content on Citrix ADM but is not authorized to perform any operations.
- appadmin_policy. Grants administrative permissions for accessing the application features in Citrix ADM. A user bound to this policy can add, modify, and delete custom applications, and can enable or disable the services, service groups, and the various virtual servers, such as content switching, cache redirection, and HAProxy virtual servers.
- appreadonly_policy. Grants read-only permission for application features. A user bound to this policy can view the applications, but cannot perform any add, modify, or delete, enable, or disable operations.
Though you cannot edit these predefined policies, you can create your own (user-defined) policies.
Earlier, when you assigned policies to roles and bound the roles to user groups, you could provide permissions for the user groups at node level in Citrix ADM GUI. For example, you could only provide access permissions to the entire Load Balancing node. Your users had permission to access all entity-specific sub-nodes under Load Balancing node (for example, virtual server, services, and others) or they did not have permission to access any node under Load Balancing.
In Citrix ADM 507.x build and later versions, the access policy management is extended to provide permissions for subnodes as well. Access policy settings can be configured for all sub-nodes such as virtual servers, services, service groups, and servers.
Currently, you can provide such a granular level access permission only for sub-nodes under Load Balancing node and also for sub-nodes under GSLB node.
For example, as an administrator, you might want to give the user an access permission for only to view virtual servers, but not the backend services, service groups, and application servers in Load Balancing node. The users with such a policy assigned to them can access only the virtual servers.
To create user-defined access policies:
In Citrix ADM GUI, navigate to Account > User Administration > Access Policies.
On the Create Access Policies page, in the Policy Name field, enter the name of the policy, and enter the description in the Policy Description field.
The Permissions section lists of all Citrix ADM features, with options for specifying read-only or edit access. Click the (+) icon to expand each feature group into multiple features. You must select the check box next to the feature name to give the users either the View or Edit Permissions. The Edit option includes permission to view. Select View for read-only, or Edit for full access.
Note: Expand Load Balancing and GSLB to view more configuration options.
Selecting Edit might internally assign dependent permissions that are not shown as enabled in the Permissions section. For example, when you enable edit permissions for fault management, Citrix ADM internally provides permission for configuring a mail profile or for creating SMTP server setups, so that the user can send the report as a mail.
Configuring Roles on Citrix ADM
In Citrix ADM, each role is bound to one or more access policies. You can define one-to-one, one-to-many, and many-to-many relationships between policies and roles. You can bind one role to multiple policies, and you can bind multiple roles to one policy.
For example, a role might be bound to two policies, with one policy defining access permissions for one feature and the other policy defining access permissions for another feature. One policy might grant permission to add Citrix ADC instances in Citrix ADM, and the other policy might grant permission to create and deploy StyleBooks and to configure Citrix ADC instances.
When multiple policies define the edit and read-only permissions for a single feature, the edit permissions have priority over read-only permissions.
Citrix ADM provides five predefined roles:
- admin_role. Has access to all Citrix ADM features. (This role is bound to adminpolicy.)
- adminExceptSystem_role. Has access to the Citrix ADM GUI except for the Settings permissions. (This role is bound to adminExceptSystem_policy)
- readonly_role. Has read-only access. (This role is bound to readonlypolicy.)
- appAdmin_role. Has administrative access to only the application features in Citrix ADM. (This role is bound to appAdminPolicy).
- appReadonly_role. Has read-only access to the application features. (This role is bound to appReadOnlyPolicy.)
Though you cannot edit the predefined roles, you can create your own (user-defined) roles.
To create roles and assign policies to them:
In Citrix ADM GUI, navigate to Account > User Administration > Roles.
On Create Roles page, in the Role Name field, enter the name of the role, and provide the description in the Role Description field (optional.)
In the Policies section, add move one or more policies to the Configured list.
The policies are pre-fixed with a tenant ID (for example, maasdocfour) that is unique to all tenants.
You can create a new access policy by clicking New, or you can navigate to Account > User Administration > Access Policies, and create new policies.
Configuring Groups on Citrix ADM
In Citrix ADM, a group can have both feature-level and resource-level access. For example, one group of users might have access to only selected Citrix ADC instances; another group with only a selected few applications, and so on. When you create a group, you can assign roles to the group, provide application-level access to the group, and assign users to the group. All users in that group are assigned the same access rights in Citrix ADM.
To Create User Groups and Assign Roles to User Groups:
- In Citrix ADM, navigate to Account > User Administration > Groups.
- Click Add. Create System Group page opens.
- In the Group Name field, enter the name of the group.
- In the Group Description field, type in a description of your group. Providing a good description of the group helps you to understand the role and function of the group in a better way at a later point.
In the Roles section, move one or more roles to the Configured list.
The roles are pre-fixed with a tenant ID (for example, maasdocfour) that is unique to all tenants.
Under the Available list, you can click New or Edit and create or modify roles. Alternatively, you can navigate to Accounts > User Administration > Users, and create or modify users.
Optionally, clear the All Instances check box and select specific instances. By default, this check box is selected, allowing the users to view and configure all Citrix ADC instances. You can clear the check box and select only those Citrix ADC instances that you want the users to access.
You can create a new role by clicking New, or you can navigate to Settings > User Administration > Roles, and create new roles.
Click Next. On the screen that appears, you can provide authorization settings for the following four groups:
- Configuration Templates
By default, your user can access all the above groups. You can clear the checkboxes and provide selective access for each of these groups.
- You can clear Instances checkbox and select only the required instances that you want to provide access to your users.
- Clear All Applications checkbox and select only the required applications and templates. When you add applications to a group in Citrix ADM, you can use regex to search and add the applications that meet the regex criteria for the groups. The users who are bound to these groups can access only those specific applications. The regex expression specified is persisted in Citrix ADM. That is, Citrix ADM allows the regex provided in the Add Regular Expression text box to be stored in the system and dynamically updates the authorization scope whenever new applications meet this regex expression. When new applications are added to the system, Citrix ADM applies the search criteria to the new applications, and the application that meets the criteria is dynamically added to the group. You do not have to manually add the new applications to the group. The applications are updated dynamically in the system, and the respective group users can see the applications under appropriate modules in Citrix ADM.
- Clear All Configuration templates checkbox to allow access to only the required templates.
- Clear All StyleBooks checkbox and select the required StyleBooks that your user can access.
You can select the required StyleBooks when you create groups and add users to that group. When your user selects the permitted StyleBook, all dependent StyleBooks are also selected. The config packs of that StyleBook are also included in what the user has access to.
Click Create Group.
In the Assign Users section, select the user in the Available list, and add the user to the Configured list.
You can also add new users by clicking New.
- Click Finish.
RBAC is not fully supported by the following Citrix ADM features:
- Analytics - RBAC is not supported fully by the analytics modules. RBAC support is limited to instance level, and it is not applicable at the application level in the Gateway Insight, HDX Insight, and Security Insight analytics modules.
- Example 1: Instance-based RBAC (Supported). An administrator who has been assigned a few instances can see only those instances under HDX Insight > Devices, and only the corresponding virtual servers under HDX Insight > Applications because RBAC is supported at the instance level.
- Example 2: Application based RBAC (Not Supported). An administrator who has been assigned a few applications can see all virtual servers under HDX Insight > Applications but cannot access them, because RBAC is not supported at the applications level.
- StyleBooks – RBAC is not fully supported for StyleBooks.
- Consider a situation where multiple users have access to a single StyleBook but have access permissions for different Citrix ADC instances. Users can create and update config packs on their own instances, but not on other instances as they do not have access to those instances other than their own. But they can still view the config packs and objects created on Citrix ADC instances other than their own.