Product Documentation

Role Based Access Control in NetScaler MAS

NetScaler MAS provides fine-grained, role based access control (RBAC) with which you can grant access permissions based on the roles of individual users within your enterprise. In this context, access is the ability to perform a specific task, such as view, create, modify, or delete a file.  Roles are defined according to the authority and responsibility of the users within the enterprise. For example, one user might be allowed to perform all network operations, while another user can observe the traffic flow in applications and assist in creating configuration templates.

Roles are determined by in policies. After creating policies, you create roles, bind each role to one or more policies, and assign roles to users. You can also assign roles to groups of users.

A group is a collection of users who have permissions in common. For example, users who are managing a particular data center can be assigned to a group. A role is an identity granted to users or groups on the basis of specific conditions. In NetScaler MAS, creating roles and policies is specific to the RBAC feature in NetScaler. Roles and policies can be easily created, changed, or discontinued as the needs of the enterprise evolve, without having to individually update the privileges for every user.

Roles can be feature based or resource based. For example, consider an SSL/security administrator and an application administrator. An SSL/security administrator must have complete access to SSL Certificate management and monitoring features, but should have read-only access for system administration operations. An application administrator should be able to access only the resources within his or her scope.

Example:

Chris, the ADC group head, is the super administrator of NetScaler MAS in his organization. He creates three administrator roles: security administrator, application administrator, and network administrator.

David, the security admin, must have complete access for SSL Certificate management and monitoring but should have read-only access for system administration operations.

Steve, an application admin, needs access to only specific applications and only specific configuration templates.

Greg, a network admin, needs access to system and network administration.

Chris also must provide RBAC for all users, irrespective of the fact that they are local, external, or a multi-tenant.

NetScaler MAS users may be locally authenticated or may be authenticated through an external server (RADIUS/LDAP/TACACS). RBAC settings must be applicable to all users irrespective of the authentication method adopted.

The following image shows the permissions that the administrators and other users have and their roles in the organization.

localized image

Limitations

RBAC is not fully supported for the following NetScaler MAS features:

  • Analytics -  RBAC is not supported fully in the analytics modules. RBAC support is limited to instance level, and it is not applicable at application level in the Web Insight, SSL Insight, Gateway Insight, HDX Insight, and Security Insight analytics modules.  For example:

    Example 1: Instance based RBAC (Supported)

    An administrator who has been assigned a few instances can see only those instances under Web Insight > Devices, and only the corresponding virtual servers under Web Insight > Applications, because RBAC is supported at instance level.

    Example 2: Application based RBAC (Not Supported)

    An administrator who has been assigned a few applications can see all virtual servers under Web Insight > Applications but cannot access them, because RBAC is not supported at applications level.

  • StyleBooks – RBAC is not fully supported for StyleBooks.

    • In NetScaler MAS, Stylebooks and configuration packs are considered as separate resources. Access permissions, either view, edit, or both, can be provided for Stylebook and configuration packs separately or concurrently. A view or edit permission on configuration packs implicitly allows the user to view the StyleBooks, which is essential for getting the configpack details and creating new configuration packs.

    • Access permission for specific Stylebook or configuration packs is not supported
      Example: If there is already a configpack on the instance, users can modify the configuration on a target NetScaler instance even if they don’t have access to that instance.

  • Orchestration - RBAC is not supported for Orchestration.

Role Based Access Control in NetScaler MAS

In this article