XCO RBAC Policy Enforcement

XCO implements an RBAC policy governing access to northbound REST APIs.

The RBAC policy is enforced at the northbound interface, immediately after validation of the access token. An error message is returned if the RBAC permission check fails.

Security Troubleshooting

Use the following logs to troubleshoot authentication, authorization, or RBAC issues.

Table 1. Security log locations
Log source Filepath

XCO server

/var/log/efa/auth/auth-server.log

/var/log/efa/rbac/rbac-server.log

XCO TPVM

/apps/efa_logs/auth/auth-server.log

/apps/efa_logs/rbac/rbac-server.log

SLX device

/var/log/pam-oauth2.log
Use the following commands to see the list of commands that were run during a specified time and identify potential causes for issues, such as when an RBAC error occurred.
  • efa auth execution show
  • efa rbac execution show
  • efa inventory execution show

RBAC and REST URI Matrix

The RBAC policy is expressed in a permissions matrix indexed by RBAC role and REST URI, in which each matrix element enumerates the permitted HTTP methods.

Table 2. RBAC and REST Matrix
Role A Role B Role C
REST URI 1 GET GET GET, POST, PUT, PATCH, DELETE
REST URI 2 GET, POST GET, POST, PUT GET, POST, PUT, PATCH, DELETE
REST URI 3 GET, POST GET, POST GET, POST, PUT, PATCH, DELETE

RBAC Roles

Roles can be populated into the upstream LDAP instance.
Note

Note

The SystemAdmin and NetworkOperator roles are applicable for VM mode of installation.
Table 3. Role definitions
Role Description
FabricAdmin
  • Registers devices to the fabric
  • Configures fabric parameters
  • Validates all devices in the fabric
  • Configures switches for IP fabric with overlay and without overlay
  • Creates tenants
  • Creates networks inside tenants, such as VRF, EPG, and PO
  • Performs fabric debug activities
  • Has privileges for Hyper-V and vCenter operations
SecurityAdmin Performs user management, PKI, and key management operations
NetworkOperator
  • Has view-only privileges for fabric configurations, information for tenants and inventory, and all ecosystem information
  • Cannot make changes in the system
SystemDebugger
  • Has privileges to perform supportsave and system backup, and to view the running system configurations
  • Has privileges to perform fabric debug operations
  • Sets debug levels for services
  • Has privileges to collect execution logs from services
SystemAdmin Has complete privileges to all operations in the system
<Tenant>Admin

* Created dynamically per tenant

 Performs tenant administration within the assigned tenant, such as the following:
  • Adds networks to the tenant
  • Configures network parameters
  • Configure switches with tenant-specific information
Cannot perform actions for any other tenant

* Tenant Administrator roles are added dynamically to the system when a tenant is created. The name of the role is presented in the <Tenant-name>Admin format. For example, if a tenant with the name “RegionOne” is created, the role created for the Tenant Administrator is “RegionOneAdmin”.

Note

Note

You cannot create custom roles.

Role Permissions

Table 4. Role permissions for fabric manager
Allowed Privileges System Admin Fabric Admin Tenant Admin Network Operator Security Admin System Debugger
Create, clone, delete fabric in the system
Register, unregister devices in fabric, configure IP fabric on the device
Add, delete, and update location
Show IP fabric physical, underlay, overlay topology, IP fabric configs and devices in IP fabric
Debug fabric operations
Inventory, asset service operations
Run CLI access on the device
Create, delete, update tenants
Create, delete EPG, PO, VRFs inside tenant
Add, remove port, port channels to and from EPG
Add, remove network policies to EPG
Detach network from EPG
Identify drift in device configuration
Set tenant debug level
Create, delete router interfaces
View vCenter details, events, ESXI details, physical links, virtual links, disconnected links, get server settings
Register, delete, update vCenter
Set vCenter debug level
Update vCenter polling frequency, dead link clearing time
View SCVMM server details, service settings, physical links, virtual links
Register, delete, update SCVMM server
Update SCVMM server polling frequency
User management, assign roles to users, configure LDAP, configure TACACS+, view available roles in the system
Notification service (add, delete subscribers)
Execution log view

(No Auth and RBAC)

(only Tenant)

(only Auth and RBAC)

Support save collection
Backup and restore operation

(only backup)
Install certificates
Table 5. Role permissions for visibility manager
Allowed Privileges System Admin Network Operator
Add, delete, and update location
User management, configure LDAP, configure TACACS+, authentication settings and assign roles
Register, unregister NPB devices
View inventory and configuration
Create, delete, and update NPB policy and related configurations
Port and port-channel operation on NPB devices
Create, delete, and update configuration in Library
Upgrade firmware
Refresh and export configurations
Packet capture
Clear counter
View statistics
View syslog
9038975-00 Rev AA