EFA implements an RBAC (Role-based Access Control) policy governing access to northbound REST APIs.
The RBAC policy is enforced at the northbound interface, immediately after validation of the access token. An error message is returned if an RBAC permissions check fails.
The RBAC policy is expressed in a permissions matrix indexed by RBAC role and REST URI, in which each matrix element enumerates the permitted HTTP methods.
Role A | Role B | Role C | |
---|---|---|---|
REST URI 1 | GET | GET | GET, POST, PUT, PATCH, DELETE |
REST URI 2 | GET, POST | GET, POST, PUT | GET, POST, PUT, PATCH, DELETE |
REST URI 3 | GET, POST | GET, POST | GET, POST, PUT, PATCH, DELETE |
Roles can be populated into the upstream LDAP instance.
Role | Description |
---|---|
FabricAdmin |
|
SecurityAdmin | Performs user management, PKI, and key management operations |
NetworkOperator |
|
SystemDebugger |
|
SystemAdmin | Has complete privileges to all operations in the system |
<Tenant>Admin * Created dynamically per tenant |
Performs tenant administration within the assigned tenant, such as the
following:
|
* Tenant Administrator roles are added dynamically to the system when a tenant is created.
The name of the role is of the format <Tenant-name>Admin
. For example, if a tenant with the name “RegionOne” is
created, the role created for the Tenant Administrator is “RegionOneAdmin”.
Note
You cannot create custom roles.Allowed Privileges | System Admin | Fabric Admin | Tenant Admin | Network Operator | Security Admin | System Debugger |
Create/Clone/Delete fabric in the system | ✔ | ✔ | ||||
Register/Unregister devices in fabric, configure IP fabric on the device | ✔ | ✔ | ||||
Show IP fabric physical/underlay/ overlay topology, IP fabric configs and devices in IP fabric | ✔ | ✔ | ✔ | |||
Debug fabric operations | ✔ | ✔ | ✔ | |||
Inventory/Asset service operations | ✔ | ✔ | ||||
Run CLI access on the device | ✔ | ✔ | ||||
Create/Delete/Update tenants | ✔ | ✔ | ||||
Create/Delete EPG, PO, VRFs inside tenant | ✔ | ✔ | ✔ | |||
Add/Remove Port/Port Channels to/from EPG | ✔ | ✔ | ✔ | |||
Add/Remove Network Policies to EPG | ✔ | ✔ | ✔ | |||
Detach Network from EPG | ✔ | ✔ | ✔ | |||
Identify drift in device configuration | ✔ | ✔ | ||||
Set tenant debug level | ✔ | ✔ | ✔ | ✔ | ||
Show OpenStack networks, PO, subnets, tenant, ports, router, router-interface | ✔ | ✔ | ✔ | ✔ | ||
Create/Delete/Cleanup OpenStack Networks | ✔ | ✔ | ✔ | |||
Create/Delete OpenStack Subnets | ✔ | ✔ | ✔ | |||
Create/Delete OpenStack Ports | ✔ | ✔ | ✔ | |||
Create/Delete OpenStack Router | ✔ | ✔ | ✔ | |||
Create/Delete Router Interfaces | ✔ | ✔ | ✔ | |||
Delete OpenStack asset (DebugDeleteOSSAsset) | ✔ | ✔ | ✔ | ✔ | ||
View vCenter Details, events, ESXI details, Physical links, Virtual Links, Disconnected links, Get server settings | ✔ | ✔ | ✔ | ✔ | ||
Register/Delete/Update vCenter | ✔ | ✔ | ✔ | |||
Set vCenter debug level | ✔ | ✔ | ✔ | ✔ | ||
Update vCenter polling frequency, dead link clearing time | ✔ | ✔ | ✔ | |||
View SCVMM server details, Service Settings, Physical Links, Virtual Links | ✔ | ✔ | ✔ | ✔ | ||
Register/Delete/Update SCVMM server | ✔ | ✔ | ✔ | |||
Update SCVMM server polling frequency | ✔ | ✔ | ✔ | |||
User Management, assign roles to users, configure LDAP, view available roles in the system | ✔ | ✔ | ||||
Notification service (Add/Delete subscribers) | ✔ | ✔ | ||||
Execution Log View | ✔ | ✔ |
✔ (Only Tenant) |
✔ |
✔ (Only Auth and RBAC) |
✔ |
Support Save Collection | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
Backup and Restore Operation | ✔ | ✔ | ✔ (Only backup) |
|||
Install certificates | ✔ | ✔ | ✔ |