Presentation is loading. Please wait.

Presentation is loading. Please wait.

ACI RBAC Rules More fine grained Role-Based Access Control for the ACI REST API.

Published byHorace Norman Modified over 8 years ago

Similar presentations

Presentation on theme: "ACI RBAC Rules More fine grained Role-Based Access Control for the ACI REST API."— Presentation transcript:

1 ACI RBAC Rules More fine grained Role-Based Access Control for the ACI REST API

2 Agenda RBAC Rules −Overview Deployment & Implementation Scenarios −Purpose of the feature −Design Considerations −Implementation scenarios/examples Configuration & Troubleshooting −Configuration commands −Show commands −Limitations −Partial RBAC Rules −Troubleshooting

3 RBAC Rule Overview and Description

4 RBAC Rules Overview Adds fine grained RBAC control to existing RBAC framework Allows granular rules to each subtree in the MIT Provides read-only rules as well as read-write rules Prerequisite: Audience needs to be familiar with the RBAC architecture and concepts that have been present in the product since FCS Cannot have negative rules, privileges granted by RBAC Rules are only additive and cannot provide ‘block’ capability EDCS-1499376: APIC RBAC Rule Enhancements Software Design Specification

5 Purpose Of The Feature L4-L7 policy configurations in a multi tenant environment required admin intervention to create certain objects that could not be created by tenant administrators using the classic RBAC domains and roles model definition. This introduces a requirement for more fine grained RBAC privileges in the MIT tree. This will allow the site administrator to create RBAC Rules that grant access (read-only or read/write) to physical topology or in general to parts of the MIT that are not visible to tenants normally. Normal RBAC functionality grants access to all instances of classes of objects under the tenant subtree. For example, a user with tenant-acme firewall administrator privileges can read/write ALL firewall objects in the uni/tn-acme subtree. Same for any other policies under the tenant subtree such as load balancers, VRFs, BDs etc. Customer requested more fine grained access – to allow distinct tenant users restricted access to specific firewalls or load balancers.

6 Design Considerations The new design should seamlessly fit into existing customer configurations and deployments. The upgrade process to code containing the new features should be non-impacting and seamless. The existing RBAC domain/roles definition mechanism should still work. The new RBAC rules will act in-addition to the existing RBAC mechanism (i.e. both must co-exist).

7 Example Scenario Either before, during or after L4-L7 Policy configuration, the site administrator may choose to create PartialRbacRules that grant access to specific firewall and load balancer devices to their specific tenant users. This is implemented by creating aaa:Domains that represent each resource group that needs to be individually assigned; Tenant Acme Firewall Devices: −Firewall1 −Firewall2 Load Balancer Devices: −LB1 −LB2

8 Example Scenario (cont.) Tenant Users: −acme-admin: Tenant Administrator with access to entire tenant tree −acme-firewall1-admin : Tenant user with write access ONLY to firewall1 −acme-firewall2-admin : Tenant user with write access ONLY to firewall2 −N users each with access to instance X of a specific resource Site Administrator actions: Security Domains to be created: −acme-firewall-1-admin −acme-firewall-2-admin −acme-loadbalancer-1-admin −acme-loadbalancer-2-admin

9 Example Scenario (cont.) Users to be created: acme-admin: Tenant Administrator with access to entire tenant tree acme-firewall1-admin : −Domain acme: read-all privileges −Domain acme-firewall-1-admin: firewall-admin WRITE privileges acme-firewall1-admin : −Domain acme: read-all privileges −Domain acme-firewall-1-admin: firewall-admin WRITE privileges N users each with access to instance X of a specific resource

10 Example Scenario (cont.) User acme-firewall1-admin has read-all privileges for domain acme – this does not allow modifying firewall1 We need an RBAC Rule granting this access RBAC Rule to be created for user acme-firewall1-admin DN(uni/tn-acme/firewall1) Domain(acme-firewall-1-admin) WRITE This rule grants access to the subtree uni/tn-acme/firewall1 to users belonging to domain acme-firewall-1-admin Note the allowWrites privilege that is necessary to make this into a “write rbac rule”. By default, RBAC Rules are read-only rules.

11 RBAC Rule Policy Configuration A role based access control (RBAC) rule allows users from a security domain to read the subtree rooted at [objectDn]. Policy expressed as objects of class aaaRbacRule contained under uni/rbacdb DN : uni/rbacdb/rule-{[objectDn]}-dom-{domain} CLI command: apic1(config)# rbac rule uni/tn-acme/flt-filter1 acme-firewall-1-admin

12 RBAC Rule CLI Configuration apic1(config)# rbac rule uni/tn-acme/flt-filter1 acme-firewall-1-admin apic1(config-rule)# allow-writes apic1(config-rule)# show run # Command: show running-config rbac rule "uni/tn-acme/flt-filter1" "acme-firewall-1-admin" allow-writes exit apic1(config-rule)#

13 Limitations and Common Pitfalls RBAC Rules are additive and associative. RBAC Rules cannot be negative/blocking rules. RBAC Rules cannot be created by tenant administrators. RBAC Rules require knowledge of the DNs of resources. RBAC Rule DNs are validated only for DN correctness, not for existence – this allows pre- creation of RBAC Rules prior to the creation of the DN object they refer to. RBAC Rule Domains are validated only for format, not for existence – this allows pre- creation of RBAC Rules prior to the creation of the domains they refer to.

14 Partial RBAC Rules Previous slide mentioned limitation about admin privileges required to create RBAC Rules. PartialRbacRules allow self service creation of RBAC Rules by tenant administrators to grant/withdraw fine grained resource access to tenant sub-admins (firewall1 admin vs firewall2 admin etc). Partial RBAC Rules similar to RBAC Rules except for −Contained under tenant’s subtree, which allows tenant-admin to create them −Validated for DNs pointing only to that tenant subtree – backend will reject partial rbac rules referring to DNs outside the same tenant subtree.

15 RBAC Troubleshooting Addendums Customer complains that User X can read/write an object they shouldn’t be able to. Why ? Pre-Brazos RBAC utilized only domains/roles to determine read privileges for a user. Troubleshooting RBAC issues involved finding the object’s domain and privileges and intersection with user’s privileges. With the Brazos release, there are two additional items to check: RbacRules and Partial RbacRules that might grant access to the DN that the user is attempting to access.

Download ppt "ACI RBAC Rules More fine grained Role-Based Access Control for the ACI REST API."

Similar presentations

The following 10 questions test your knowledge of desired configuration management in Configuration Manager 2007. Configuration Manager Desired Configuration.

The following 10 questions test your knowledge of desired configuration management in Configuration Manager Configuration Manager Desired Configuration.
Operating and Configuring Cisco IOS Devices © 2004 Cisco Systems, Inc. All rights reserved. Operating Cisco IOS Software INTRO v2.0—8-1.

Operating and Configuring Cisco IOS Devices © 2004 Cisco Systems, Inc. All rights reserved. Operating Cisco IOS Software INTRO v2.0—8-1.
SELinux (Security Enhanced Linux) By: Corey McClurg.

SELinux (Security Enhanced Linux) By: Corey McClurg.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.
02 | Install and Configure Team Foundation Server Anthony Borton | ALM Consultant, Enhance ALM Steven Borg | Co-founder & Strategist, Northwest Cadence.

02 | Install and Configure Team Foundation Server Anthony Borton | ALM Consultant, Enhance ALM Steven Borg | Co-founder & Strategist, Northwest Cadence.
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS

ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS
03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.

03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.

1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.

Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
Chapter 7: WORKING WITH GROUPS

Chapter 7: WORKING WITH GROUPS
Module 2 Designing Microsoft® Exchange Server 2010 Integration with the Current Infrastructure.

Module 2 Designing Microsoft® Exchange Server 2010 Integration with the Current Infrastructure.
Troubleshooting Windows Vista Security Chapter 4.

Troubleshooting Windows Vista Security Chapter 4.
Section 1: Introducing Group Policy What Is Group Policy? Group Policy Scenarios New Group Policy Features Introduced with Windows Server 2008 and Windows.

Section 1: Introducing Group Policy What Is Group Policy? Group Policy Scenarios New Group Policy Features Introduced with Windows Server 2008 and Windows.
11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.

11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.
Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.

Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2012 Cisco and/or its affiliates. All rights reserved. 1 Voice Mailbox.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2012 Cisco and/or its affiliates. All rights reserved. 1 Voice Mailbox.
New & Improved Events List Relationships and Joins Large List Support Field & List Item Validation.

New & Improved Events List Relationships and Joins Large List Support Field & List Item Validation.

Similar presentations

Ads by Google