NetScaler MAS provides fine-grained, role based access control (RBAC) with which you can grant access permissions based on the roles of individual users within your enterprise. In this context, access is the ability to perform a specific task, such as view, create, modify, or delete a file. Roles are defined according to the authority and responsibility of the users within the enterprise. For example, one user might be allowed to perform all network operations, while another user can observe the traffic flow in applications and assist in creating configuration templates.
Roles are determined by in policies. After creating policies, you create roles, bind each role to one or more policies, and assign roles to users. You can also assign roles to groups of users.
A group is a collection of users who have permissions in common. For example, users who are managing a particular data center can be assigned to a group. A role is an identity granted to users or groups on the basis of specific conditions. In NetScaler MAS, creating roles and policies is specific to the RBAC feature in NetScaler. Roles and policies can be easily created, changed, or discontinued as the needs of the enterprise evolve, without having to individually update the privileges for every user.
Roles can be feature based or resource based. For example, consider an SSL/security administrator and an application administrator. An SSL/security administrator must have complete access to SSL Certificate management and monitoring features, but should have read-only access for system administration operations. An application administrator should be able to access only the resources within his or her scope.
Chris, the ADC group head, is the super administrator of NetScaler MAS in his organization. He creates three administrator roles: security administrator, application administrator, and network administrator.
David, the security admin, must have complete access for SSL Certificate management and monitoring but should have read-only access for system administration operations.
Steve, an application admin, needs access to only specific applications and only specific configuration templates.
Greg, a network admin, needs access to system and network administration.
Chris also must provide RBAC for all users, irrespective of the fact that they are local, external, or a multi-tenant.
NetScaler MAS users may be locally authenticated or may be authenticated through an external server (RADIUS/LDAP/TACACS). RBAC settings must be applicable to all users irrespective of the authentication method adopted.
The following image shows the permissions that the administrators and other users have and their roles in the organization.
RBAC is not fully supported for the following NetScaler MAS features:
Example 1: Instance based RBAC (Supported)
An administrator who has been assigned a few instances can see only those instances under Web Insight > Devices, and only the corresponding virtual servers under Web Insight > Applications, because RBAC is supported at instance level.
Example 2: Application based RBAC (Not Supported)
An administrator who has been assigned a few applications can see all virtual servers under Web Insight > Applications but cannot access them, because RBAC is not supported at applications level.