Each Avi Vantage user account is associated with a role. The role defines the type of access the user has to each area of the Avi Vantage system.
Roles provide granular Role-Based Access Control (RBAC) within Avi Vantage.
The role, in combination with the tenant (optional), comprise the authorization settings for an Avi Vantage user.
For each Avi Vantage resource (object type) and within each group of resources (system area), the user can have the following privileges:
- Write: The user has full access to create, read, modify, and delete resources.
- Read: The user can only read the existing configuration of resources. For example, the user can see how a virtual service is configured and view the health and analytics data of the virtual service but is unable to modify the configuration or delete the virtual service.
- No Access: The user has no access to the resources and cannot even read or enumerate these resources.
- Assorted: The user has a mixture of the above privileges for different resources within the system area.
Pre-defined Avi Vantage User Roles
Avi Vantage comes with the following pre-defined roles:
- Application-Admin: User has write access to the Application and Profiles sections of Avi Vantage, read access to the Infrastructure settings, and no access to the Account or System sections.
- Application-Operator: User has read access to the Application and Profiles sections of Avi Vantage and no access to the Infrastructure, Account, and System sections.
- Security-Admin: User has read/write access only to the Templates > Security section.
- System-Admin: User has write access to all sections of Avi Vantage.
- Tenant-Admin: User has write access to all sections of Avi Vantage except the System section, to which the user has no access.
- WAF-Admin: User has write access to WAF Profiles and Policies, read access to application VSs, pools and pool groups, read access to clouds, and no access to the rest.
To display a detailed list of the access settings for a role, click on the table row for that role. Here is an example of the detailed information for the Application-Admin role. (The example is truncated on the right side in this example, but the information will display in full in the web interface.)
Each user must be associated with at least one role. The role can be either predefined or a custom role.
If multitenancy is configured, a user can be assigned to more than one tenant, and can have a separate role for each tenant.
Create a Role
If none of the pre-defined roles exactly fit the access requirements for some user accounts, custom roles can be defined.
By default, access to each system area in a custom role is set to no access. Access can be changed to read or write for an entire system area or for individual resources within that system area.
For example, to allow write access to all profiles, click the icon in the title row for the Profiles system area as shown in the image.
To give access to only some of the resources within a system area, select the access for each area. In this example, the role will have write access to some types of profiles but only read access to the other types:
Note: Starting with NSX Advanced Load Balancer version 21.1.2, roles can only be created in the admin tenants.
To create a custom role:
- Navigate to Administration > Accounts Roles, and click on Create.
- Enter a Name for the role.
- Click one of the following icons to change access to a system area:
- Click Save.
The new role appears in the table displayed when the Roles tab has been selected.
To edit a custom role, click the edit icon (not shown in example) to the right of the table entry.
Assigning a Role to a User
Roles can be assigned to both local and remote (LDAP, TACACS+) user accounts. The procedure differs depending on where the account is maintained.
Local User Account
Roles can be assigned to a user account when the account is created or at any time later. In either case, select the role from the Role pull-down list in the configuration popup for the user account.
- Navigate to Administration > Accounts > Users.
- If configuring a new account, click Create. Otherwise, if changing an existing account, click the Edit icon in the row for the account.
- Select the role from the Role pull-down list. If a custom role is needed, but is not created. Click Create.
- User accounts are case-sensitive.
- When creating the user, if the Email field is configured, Avi will attempt to send an email leveraging the mail server defined in the Email/SMTP settings. User creation can take 40 seconds if the email server is down or unreachable.
LDAP or TACACS+ User Accounts
If LDAP or TACACS+ remote authentication is used, roles can be assigned to users based on the following:
- LDAP group: A role can be assigned to users in any group or specifically to users who either are or are not members of specific groups.
- LDAP attributes: For users who match the LDAP group filter, the role is assigned to those users with any attributes and values or who either do or do not have specific attributes and values.
The mappings are configured within Avi Vantage rather than the LDAP or TACACS+ server.
To map LDAP or TACACS+ users to Avi Vantage roles, use the following steps. Multiple mappings can be configured if needed for any combination of user group name and attribute:value pair.
- These steps assume that Avi Vantage authentication/authorization is set to remote and an LDAP or TACACS+ Auth profile has been applied.
- Group names are case-sensitive for LDAP mapping.
- Navigate to Administration > Settings > Authentication/Authorization.
- Click New Mapping.
- Select the filter for the LDAP group:
- Any: Users in any LDAP group match the filter.
- Member: Users must be members of the specified groups. If entering multiple group names, use commas between the names.
- Not a Member: Users must not be members of the specified groups.
- Select the filter for the LDAP attribute:
- Any: Users match regardless of attributes or their values.
- Contains: User must have the specified attribute, and the attribute must have one of the specified values.
- Does Not Contain: User must not have the specified attribute and value(s).
- Select the role from the User Role pull-down list:
- From Select List: Displays a Roles pull-down list. Select the role from the list.
- All: Assigns all roles.
- Matching Attribute Value: Assigns the role whose name matches an attribute value from the LDAP server.
- Matching Group Name: Assigns the role whose name matches a group name on the LDAP server.
- If using multitenancy, users also can be mapped to tenants. Read more about tenants and tenancy.
- Click Save. The new mapping appears in the Tenant and Role Mapping table.