Granular Role-Based Access Controls Per Field

Overview

Avi Vantage provides Role Based Access Control (RBAC) to provide granular access to control, manage and monitor applications within Avi Vantage.
Starting from Avi Vantage version 20.1.2, labels are used as filters to enforce access control over individual objects. This model allows providing read or write access to a given resource. To know more on how RBAC is applied per object, refer to the Granular RBAC article.

RBAC can be implemented at a field-level. This article covers the use of sub-resources to implement RBAC per field.

Granular RBAC per-Field

Using Granular RBAC per Field, users can be allowed to update an object but restrict the updates to a specific set of fields.
For example, allow users to:

  • Enable/ disable GSLB service groups, but restrict updating any other fields in the GSLB object
  • Enable/ disable a virtual service, but restrict updating any other virtual service configuration
  • Add/ remove/ update the pool servers, but restrict updating any other pool configuration

Sub-resources

To implement per-field RBAC, sub-resources for the existing resources are introduced. These sub-resources are associated with a specific field, feature, or a set of fields within the object. When a sub-resource is configured on a resource with write access, it will allow update to the object only if those sub-resources are the only fields updated. Read will be allowed for the full object, but delete, and create will not be allowed from that permission. Sub-resources can be combined to allow users to configure multiple fields/features in an object.

To define access for sub-resources, the flags allow edit to only [subresource(s)] and allow edit of entire object except for [subresource(s)] are introduced.

For example, to configure a role with sub-resources,


[admin:10]: > configure role Pool-Enabled-Role
[admin:10]: role> privileges 
New object being created
[admin:10]: role:privileges> type write_access 
[admin:10]: role:privileges> resource permission_pool
[admin:10]: role:privileges> subresource 
[admin:10]: role:privileges:subresource> subresources subresource_pool_enabled 
[admin:10]: role:privileges:subresource> save
[admin:10]: role:privileges> save
[admin:10]: role> save

The pool is configured as shown below:


+--------------------------+-------------------------------------------+
| Field                    | Value                                     |
+--------------------------+-------------------------------------------+
| uuid                     | role-c5d28445-995c-44b8-9677-610bb20cb2e7 |
| name                     | Pool-Enabled-Role                         |
| privileges[1]            |                                           |
|   type                   | WRITE_ACCESS                              |
|   resource               | PERMISSION_POOL                           |
|   subresource            |                                           |
|     exclude_subresources | False                                     |
|     subresources[1]      | SUBRESOURCE_POOL_ENABLED                  |
| tenant_ref               | admin                                     |
+--------------------------+-------------------------------------------+

Sub-resources enabled the user to do execute a specific function within the object.

All available sub-resources are listed below:

Sub-resource Function
SUBRESOURCE_POOL_ENABLED Add/ update/ disable pool servers
SUBRESOURCE_POOL_SERVERS Add/ update/ remove pool servers
SUBRESOURCE_POOL_SERVER_ENABLED Enable/ disable pool servers
SUBRESOURCE_VIRTUALSERVICE_ENABLED Enable/disable virtual servers
SUBRESOURCE_GSLBSERVICE_ENABLED Enable/disable GSLB service objects
SUBRESOURCE_GSLBSERVICE_GROUPS Update GSLBservice groups
SUBRESOURCE_GSLBSERVICE_GROUPS_ENABLED Enable/ disable GSLBservice groups
SUBRESOURCE_GSLBSERVICE_GROUP_MEMBERS Update GSLBservice group members
SUBRESOURCE_GSLBSERVICE_GROUP_MEMBER_ENABLED Enable/ disable GSLBservice group members
SUBRESOURCE_VIRTUALSERVICE_AUTO_ALLOCATE_FLOATING_IP Enable/ disable Auto allocate floating IP

Note: Prior to NSX Advanced Load Balancer version 22.1.1, it was only possible to control the update (PUT) action on any resource field. Starting with NSX Advanced Load Balancer version 22.1.1, if the access is disallowed for any field, creation of objects is not permitted as well.

Document Revision History

Date Change Summary
April 15, 2020 Published the article for Granualar RBAC Per Field (Version 20.1.5)