Configuring Groups on NetScaler MAS

In NetScaler MAS, a group can have both feature-level and resource-level access. For example, one group of users might have access to only selected NetScaler instances; another group to only a selected few applications, and so on. When you create a group, you can assign roles to the group, provide application-level access to the group, and assign users to the group. All users in that group are assigned the same access rights in NetScaler MAS.  

To Create User Groups and Assign Roles to User Groups:

  1. In NetScaler MAS, navigate to System > User Administration > Groups.

  2. Click Add.

  3. In the Group Name field, enter the name of the group.

  4. In the Group Description field, type in a description of your group. Providing a good description of the group helps you to understand the role and function of the group in a better way at a later point.

  5. In the Roles section, move one or more roles to the Configured list.

    Note: Under the Available list, you can click New or Edit and create or modify roles. Alternatively, you can navigate to System > User Administration > Users and create or modify users.

    localized image

    Note: You can create a new role by clicking New, or you can navigate to SystemUser Administration > Users and create new users from this screen.

  6. Click Next. On the screen that appears, you can provide authorization settings for the following four groups:

    • Instances

    • Applications

    • Configuration Templates

    • StyleBooks

    By default, your user can access all the above groups. You can clear the checkboxes and provide selective access for each of these groups.

    For example:

    • You can clear Instances checkbox and select only the required instances that you want to provide access to your users.

    • Clear All Applications checkbox and select only the required applications and templates. When you add applications to a group in NetScaler MA Service, you can use regex to search and add the applications that meet the regex criteria for the groups. The users who are bound to these groups can access only those specific applications. The regex expression specified is persisted in NetScaler MA Service. That is, NetScaler MA Service allows the regex provided in the Add Regular Expression text box to be stored in the system and dynamically updates the authorization scope whenever new applications meet this regex expression. When new applications are added to the system, NetScaler MA Service applies the search criteria to the new applications, and the application that meets the criteria is dynamically added to the group. You do not have to manually add the new applications to the group. The applications are updated dynamically in the system, and the respective group users can see the applications under appropriate modules in NetScaler MA Service.

    • Clear All Configuration templates checkbox to allow access to only the required templates.

    • Clear All StyleBooks checkbox and select the required StyleBooks that your user can access.
      You can select the required StyleBooks when you create groups and add users to that group. When your user selects the permitted StyleBook, all dependent StyleBooks are also selected. The config packs of that StyleBook are also included in what the user has access to.

      localized image

  7. Click Create Group.

  8. For this example, in the Users section, select “dadmin” in the Available list and add the user to the Configured list.

    localized image

    Note: You can also add new users by clicking New.

  9. Click Finish.

Mapping of RBAC when Upgrading NetScaler MAS from 11.1 to 12.0

When you upgrade NetScaler MAS from 11.1 to 12.0, you do not see the options to provide “read-write” or “read” permissions while creating groups. These permissions have been replaced by “roles and access policies,” which give you more flexibility to provide role-based permissions to the users. The following table shows how the permissions in release 11.1 are mapped to release 12.0

11.1 Allow Applications Only 12.0
admin read-write False admin
admin read-write True appAdmin
admin read-only False readonly
admin read-only True appReadonly