Configure Role-Based Access for Third Party Orchestration

Before deploying the fabric components using a third party orchestrator, we must create users, roles and the respective user groups in GigaVUE-FM. The Username and the Password provided in the User Management page will be used in the registration data that can be used to deploy the fabric components in your orchestrator.

Users

The Users page lets you manage the GigaVUE-FM and GigaVUE-OS FM users. You can also configure user's role and user groups to control the access privileges of the user in GigaVUE-FM.

Add Users

This section provides the steps for adding users. You can add users only if you are a user with fm_super_admin role or a user with either read/write access to the FM security Management category.

Important: It is recommended to create users through GigaVUE‑FM:

■   You cannot view or manage users created in GigaVUE‑FM CLI using GigaVUE‑FM.
■   You cannot view changes made to the users in GigaVUE‑FM CLI in GigaVUE‑FM.

Note:  Monitor and operator users are not available in GigaVUE‑FM. However, if you upgrade from a previous version in which monitor/operator users have been mapped in map default user, then after upgrade:

■  In AAA: Users authenticated through the external servers will be assigned the fm_user role.
■  In LDAP: Remote group based DN entry will not be migrated.

To add users perform the following steps:

1.   On the left navigation pane, click and select Authentication > User Management > Users. The User Management page is displayed.

1 FM Users Page
2. Click Add . In the Create User wizard that appears perform the following steps. Click Continue to progress forward and click Back to navigate backward and change details.

2 Create User
a. In the User Information tab, enter the following details:
o   Name: Actual name of the user
o   Username: User name configured in GigaVUE-FM
o   Email: Email ID of the user
o   Password/Confirm Password: Password for the user. Refer to the Change Your Password section.

Note:  GigaVUE‑FM will prompt for your password.

b. Click Save to save the configuration.

The new user is added to the summary list view.

You can also assign users to roles and user groups that set the access permissions. Refer to the following sections for details:

Note:  If you have logged in as a user with fm_super_admin role or a user with either read/write access on FM security Management category, then click on the ellipsis to:

■   Assign User Group: Assign user group to users.
■   Edit: Edit the user details.
■   Delete: Delete a user.
■   Unlock: Unlock a locked user.

The User name and password provided in this section will be used as the User and Password in the registration data.

After adding User, you must configure roles for third party orchestration.

Create Roles

You can associate a rule with user. Under the Select Permissions tab select Third Party Orchestration and provide read/write permissions.

Create Roles

This section describes the steps for creating roles and assigning user(s) to those roles.

GigaVUE‑FM has the following default roles:

■   fm_super_admin — Allows a user to do everything in Fabric Manager, including adding or modifying users and configuring all AAA settings in the RADIUS, TACACS+, and LDAP tabs. Can change password for all users.
■   fm_admin — Allows a user to do everything in Fabric Manager except add or modify users and change AAA settings. Can only change own password.
■   fm_user — Allows a user to view everything in Fabric Manager, including AAA settings, but cannot make any changes.

Note:  If you are a user with read-only access you will be restricted from performing any configurations on the screen. The menus and action buttons in the UI pages will be disabled appropriately.

Starting in software version 5.7, you can create custom user roles in addition to the default user roles in GigaVUE‑FM. Access control for the default roles and the custom roles is based on the categories defined in GigaVUE‑FM. These categories provide the ability to limit user access to a set of managed inventories such as ports, maps, cluster, forward list and so on.

Refer to the following table for the various categories and the associated resources. Hover your mouse over the resource categories in the Roles page to view the description of the resources in detail.

Category

Associated Resources

All

Manages all resources

■   A user with fm_super_admin role has both read and write access to all the resource categories.
■   A user with fm_user role has only read access to all the resource categories.

Infrastructure Management

Manages resources such as devices, cards, ports and cloud resources. You can add or delete a device in GigaVUE‑FM, enable or disable cards, modify port parameters, set leaf-spine topology. The following resources belong to this category:

■   Physical resources: Chassis, slots, cards ports, port groups, port pairs, cluster config, nodes and so on
■   GigaVUE‑FM inventory resources: Nodes, node credentials
■   Device backup/restore: Device and cluster configuration
■   Device license configuration: Device/cluster licensing
■   Statistics: Device, port
■   Tags: Events, historical trending
■   Device security: SystemTime, System EventNotification, SystemLocalUser, System Security Policy Settings, AAA Authentication Settings,Device User Roles, LDAP Servers, RADIUS Servers, TACACS+ Servers
■   Device maintenance: Sys Dump, Syslog
■   Cloud Infrastructure resources: Cloud Connections, Cloud Proxy Server, Cloud Fabric Deployment, Cloud Configurations, Sys Dump, Syslog, Cloud licenses, Cloud Inventory.

Note:  Cloud APIs are also RBAC enabled.

 

Traffic Control Management

Manages inline resources, flow maps, GigaSMART applications, second level maps, map chains, map groups. The following resources belong to this category:

■   Infrastructure resources: IP interfaces, circuit tunnels, tunnel endpoints, tunnel load balancing endpoints, ARP entries
■   Intent Based Orchestration resources: Policies, rules
■   GigaSMART resources: GigaSMART, GSgroups, vPorts, Netflow exporters
■   Map resources: Fabric, fabric resources, flow maps, maps, map chains, map groups, map templates
■   Application intelligence resources: Application visibility, Metadata, application filter resources
■   Tag: Flow manipulation - Netflow operations, Statistics - device port
■   Active visibility
■   Inline resources: Inline networks, Inline network groups, Inline tools, Inline tool groups, Inline serial tools, Inline heartbeat profile
■   Cloud operation resources: Monitoring session, stats, map library, tunnel library, tools library, inclusion/exclusion maps.

Note:  Cloud APIs are also RBAC enabled.

FM Security Management

Ensures secure GigaVUE‑FM environment. Users in this category can manage user and roles, AAA services and other security operations.

System Management

Controls system administration activities of GigaVUE‑FM. User in this category are allowed to perform operations such as backup/restore of GigaVUE‑FM and devices, and upgrade of GigaVUE‑FM. The following GigaVUE‑FM resources belong to this category:

■   Backup/restore
■   Archive server
■   License
■   Storage management
■   Image repo config
■   Notification target/email

Forward list/CUPS Management

Manages the forward list configuration. The following resources belong to this category:

■   GTP forward list
■   SIP forward list
■   Diameter forward list

Third Party Orchestration

Used to deploy fabric components using external orchestrator.

Device Certificate Management

Manages device certificates.

Other Resource Management

Manages virtual and cloud resources

You can associate the custom user roles either to a single category or to a combination of categories based on which the users will have access to the resources. For example, you can create a ‘Physical Devices Technician’ role such that the user associated with this role can only access the resources that are part of the Physical Device Infrastructure Management.

Note:  A user with fm_admin role has both read and write access to all of the categories, but has read only access to the FM Security Management category.

To create a role:

1.   On the left navigation pane, click and select Authentication > User Management > Roles.
2. Click Create. In the Wizard that appears, perform the following steps. Click Continue to progress forward and click Back to navigate backward and change details.

3 Create Roles
a. In the Name Role tab enter the following:
o   Name: Name of the role.
o   Description: Description for the role.
b. In the Select Permissions tab:
o   Select the required resources. Hover your mouse over the resource category to get a glimpse of the resource.
o   Select the required read and write permissions for the resources selected.
c. In the Review tab, review the role created. Click Save to create the role.

The new role is added to the summary list view.

Create User Groups

You can use the user group option to associate the users with Roles and Tags. A user group consists of a set of roles and set of tags associated with that group. When a user is created they can be associated with one or more user groups.

Create User Groups

Starting in software version 5.8.00, you can use the user group option to associate the users with Roles and Tags. A user group consists of a set of roles and set of tags associated with that group. When a user is created they can be associated with one or more user groups.

The following user groups are available by default in GigaVUE‑FM. You will not be able to edit or change these groups in the system.

User Group

Tag Key and Tag Value

Permission

Super Admin Group

Tag Key = All

Tag Value = All

Group with privileges of fm_super_adminrole.

Admin Group

Tag Key= All

Tag Value = All

Group with privileges of fm_admin role.

View only user

Tag Key = All

Tag Value = All

Group with privileges of fm_user role.

By creating groups and associating to tags and roles, you can control the users of the following:

  • The category of resources which the user can access, such as the clusters, ports, maps and so on. This is defined using the Roles option. Refer to the Roles section for more details.
  • The physical and logical resources that the user can access, such as the ports in a cluster that belong to a specific department in a location. This is defined using the Tags option.

Refer to the following flow chart to see how access control operation occurs when the user accesses a resource:

To create a group:

1.   On the left navigation pane, click , and then select Authentication > User Management > User Groups.
2. Click Create. In the Wizard that appears, perform the following steps. Click Continue to progress forward and click Back to navigate backward and change details.

4 Create Group
a. In the Name Group tab enter the following:
o   Group Name: Name of the group.
o   Description: Description for the group.
b. In the Assign Roles tab, select the required role.
c. In the Assign Tags tab, select the required tags Id and tag value. Only access control tags will be available for selection.

Note:  Select the Override User option to allow the user to access the resources for which the tag key of the resource does not match the tag key of the user.

d. Select the required users (this step is optional).
e. In the Review tab, review the group created. Click Save to create the group.

The new group is added to the summary list view. Click on the ellipses to perform the following operations:

o   View Details: View the details of the group such as the Group Name, Description, Role associated to the group, Tag associated to the group.
o   Assign Users: Assign groups to users if this step was skipped at the time of creating the group.
o   Remove Users: Remove existing users from the group.
o   Edit: Edit an existing group.
o   Delete: Delete an existing user.