EFA RBAC Policy Enforcement

EFA implements an RBAC (Role-based Access Control) policy governing access to northbound REST APIs.

The RBAC policy is enforced at the northbound interface, immediately after validation of the access token. An error message is returned if an RBAC permissions check fails.

RBAC and REST URI Matrix

The RBAC policy is expressed in a permissions matrix indexed by RBAC role and REST URI, in which each matrix element enumerates the permitted HTTP methods.

Table 1. RBAC and REST Matrix
Role A Role B Role C
REST URI 1 GET GET GET, POST, PUT, PATCH, DELETE
REST URI 2 GET, POST GET, POST, PUT GET, POST, PUT, PATCH, DELETE
REST URI 3 GET, POST GET, POST GET, POST, PUT, PATCH, DELETE

RBAC Roles

Roles can be populated into the upstream LDAP instance.

Table 2. Role definitions
Role Description
FabricAdmin
  • Registers devices to the fabric
  • Configures fabric parameters
  • Validates all devices in the fabric
  • Configures switches for IP fabric with overlay and without overlay
  • Creates tenants
  • Creates networks inside tenants, such as VRF, EPG, and PO
  • Performs fabric debug activities
  • Has privileges for OpenStack, Hyper-V, and vCenter operations
SecurityAdmin Performs user management, PKI, and key management operations
NetworkOperator
  • Has view-only privileges for fabric configurations, information for tenants and inventory, and all ecosystem information
  • Cannot make changes in the system
SystemDebugger
  • Has privileges to perform supportsave and system backup, and to view the running system configurations
  • Has privileges to perform fabric debug operations
  • Sets debug levels for services
  • Has privileges to collect execution logs from services
SystemAdmin Has complete privileges to all operations in the system
<Tenant>Admin

* Created dynamically per tenant

Performs tenant administration within the assigned tenant, such as the following:
  • Adding networks to the tenant
  • Configuring network parameters
  • Configuring switches with tenant-specific information
Cannot perform actions for any other tenant

* Tenant Administrator roles are added dynamically to the system when a tenant is created. The name of the role is of the format <Tenant-name>Admin. For example, if a tenant with the name “RegionOne” is created, the role created for the Tenant Administrator is “RegionOneAdmin”.

Note

Note

You cannot create custom roles.

Role Permissions

Table 3. Role permissions
Allowed Privileges System Admin Fabric Admin Tenant Admin Network Operator Security Admin System Debugger
Create, clone, delete fabric in the system
Register, unregister devices in fabric, configure IP fabric on the device
Show IP fabric physical, underlay, overlay topology, IP fabric configs and devices in IP fabric
Debug fabric operations
Inventory, asset service operations
Run CLI access on the device
Create, delete, update tenants
Create, delete EPG, PO, VRFs inside tenant
Add, remove port, port channels to and from EPG
Add, remove network policies to EPG
Detach network from EPG
Identify drift in device configuration
Set tenant debug level
Show OpenStack networks, PO, subnets, tenant, ports, router, router-interface
Create, delete, clean up OpenStack networks
Create, delete OpenStack subnets
Create, delete OpenStack ports
Create, delete OpenStack router
Create, delete router interfaces
Delete OpenStack asset (DebugDeleteOSSAsset)
View vCenter details, events, ESXI details, physical links, virtual links, disconnected links, get server settings
Register, delete, update vCenter
Set vCenter debug level
Update vCenter polling frequency, dead link clearing time
View SCVMM server details, service settings, physical links, virtual links
Register, delete, update SCVMM server
Update SCVMM server polling frequency
User management, assign roles to users, configure LDAP, view available roles in the system
Notification service (add, delete subscribers)
Execution log view

(only Tenant)

(only Auth and RBAC)

Support save collection
Backup and restore operation

(only backup)

Install certificates