XCO implements an RBAC policy governing access to northbound REST APIs.
The RBAC policy is enforced at the northbound interface, immediately after validation of the access token. An error message is returned if the RBAC permission check fails.
Use the following logs to troubleshoot authentication, authorization, or RBAC issues.
Log source | Filepath |
---|---|
XCO server |
/var/log/efa/auth/auth-server.log /var/log/efa/rbac/rbac-server.log |
XCO TPVM |
/apps/efa_logs/auth/auth-server.log /apps/efa_logs/rbac/rbac-server.log |
SLX device |
/var/log/pam-oauth2.log |
The RBAC policy is expressed in a permissions matrix indexed by RBAC role and REST URI, in which each matrix element enumerates the permitted HTTP methods.
Role A | Role B | Role C | |
---|---|---|---|
REST URI 1 | GET | GET | GET, POST, PUT, PATCH, DELETE |
REST URI 2 | GET, POST | GET, POST, PUT | GET, POST, PUT, PATCH, DELETE |
REST URI 3 | GET, POST | GET, POST | GET, POST, PUT, PATCH, DELETE |
Note
The SystemAdmin and NetworkOperator roles are applicable for VM mode of installation.Role | Description |
---|---|
FabricAdmin |
|
SecurityAdmin | Performs user management, PKI, and key management operations |
NetworkOperator |
|
SystemDebugger |
|
SystemAdmin | Has complete privileges to all operations in the system |
<Tenant>Admin * Created dynamically per tenant |
Performs tenant administration within the assigned tenant, such as the
following:
|
* Tenant Administrator roles are added dynamically to the system when a tenant is created.
The name of the role is presented in the <Tenant-name>Admin
format.
For example, if a tenant with the name “RegionOne” is created, the role created for the
Tenant Administrator is “RegionOneAdmin”.
Note
You cannot create custom roles.Allowed Privileges | System Admin | Fabric Admin | Tenant Admin | Network Operator | Security Admin | System Debugger |
---|---|---|---|---|---|---|
Create, clone, delete fabric in the system | ✔ | ✔ | ||||
Register, unregister devices in fabric, configure IP fabric on the device | ✔ | ✔ | ||||
Add, delete, and update location | ✔ | ✔ | ||||
Show IP fabric physical, underlay, overlay topology, IP fabric configs and devices in IP fabric | ✔ | ✔ | ✔ | |||
Debug fabric operations | ✔ | ✔ | ✔ | |||
Inventory, asset service operations | ✔ | ✔ | ||||
Run CLI access on the device | ✔ | ✔ | ||||
Create, delete, update tenants | ✔ | ✔ | ||||
Create, delete EPG, PO, VRFs inside tenant | ✔ | ✔ | ✔ | |||
Add, remove port, port channels to and from EPG | ✔ | ✔ | ✔ | |||
Add, remove network policies to EPG | ✔ | ✔ | ✔ | |||
Detach network from EPG | ✔ | ✔ | ✔ | |||
Identify drift in device configuration | ✔ | ✔ | ||||
Set tenant debug level | ✔ | ✔ | ✔ | ✔ | ||
Show OpenStack networks, PO, subnets, tenant, ports, router, router-interface | ✔ | ✔ | ✔ | ✔ | ||
Create, delete, clean up OpenStack networks | ✔ | ✔ | ✔ | |||
Create, delete OpenStack subnets | ✔ | ✔ | ✔ | |||
Create, delete OpenStack ports | ✔ | ✔ | ✔ | |||
Create, delete OpenStack router | ✔ | ✔ | ✔ | |||
Create, delete router interfaces | ✔ | ✔ | ✔ | |||
Delete OpenStack asset (DebugDeleteOSSAsset) | ✔ | ✔ | ✔ | ✔ | ||
View vCenter details, events, ESXI details, physical links, virtual links, disconnected links, get server settings | ✔ | ✔ | ✔ | ✔ | ||
Register, delete, update vCenter | ✔ | ✔ | ✔ | |||
Set vCenter debug level | ✔ | ✔ | ✔ | ✔ | ||
Update vCenter polling frequency, dead link clearing time | ✔ | ✔ | ✔ | |||
View SCVMM server details, service settings, physical links, virtual links | ✔ | ✔ | ✔ | ✔ | ||
Register, delete, update SCVMM server | ✔ | ✔ | ✔ | |||
Update SCVMM server polling frequency | ✔ | ✔ | ✔ | |||
User management, assign roles to users, configure LDAP, configure TACACS+, view available roles in the system | ✔ | ✔ | ✔ | |||
Notification service (add, delete subscribers) | ✔ | ✔ | ||||
Execution log view | ✔ |
✔ (No Auth and RBAC) |
✔ (only Tenant) |
✔ |
✔ (only Auth and RBAC) |
✔ |
Support save collection | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
Backup and restore operation | ✔ | ✔ (only backup) |
✔ | |||
Install certificates | ✔ | ✔ | ✔ |
Allowed Privileges | System Admin | Network Operator |
---|---|---|
Add, delete, and update location | ✔ | |
User management, configure LDAP, configure TACACS+, authentication settings and assign roles | ✔ | |
Register, unregister NPB devices | ✔ | |
View inventory and configuration | ✔ | ✔ |
Create, delete, and update NPB policy and related configurations | ✔ | |
Port and port-channel operation on NPB devices | ✔ | |
Create, delete, and update configuration in Library | ✔ | |
Upgrade firmware | ✔ | |
Refresh and export configurations | ✔ | |
Packet capture | ✔ | |
Clear counter | ✔ | |
View statistics | ✔ | ✔ |
View syslog | ✔ |