1. Elisity
  2. Cloud Control Center
  3. Identity and Access Management

Role-Based Access Control (RBAC) Privilege Reference

Avatar
Taylor Colwell

This article provides a description and reference for all of the RBAC Privileges available when creating custom RBAC roles. This guide also lists relevant API endpoints which are secured by each RBAC privilege. 

For a guide on how to create RBAC Roles and apply them to Users and API Clients, read the Role Based Access Control (RBAC) article.

 

RBAC Privileges - Site Permissions

Site Permissions control access to different sites within your organization's network. Restricting access to specific sites for a role ensures that users can only interact with the sites relevant to their roles, enhancing security and operational efficiency. This restriction applies to any component of the Elisity Platform that utilizes Site Labels, including devices, Local Policy Groups, and Enforcement Infrastructure like Virtual Edges and VENs.

  • Privilege: Grants general permissions for managing site access. (No specific API endpoints)
  • View Sites: Allows users to view site details. By default, all sites are visible unless specific sites are selected.
    • API Endpoints:
      • GET /api/sites

RBAC Privileges - Devices

Devices settings manage access to information and controls related to the devices within your network. Properly configuring these permissions ensures that only authorized personnel can view, add, edit, or delete devices, maintaining the integrity and security of your network infrastructure. It's important to note that these settings are directly influenced by Site Permissions. Users can only access devices associated with the sites they have permission to view.

Site Label Filtering Dependency: For roles with limited Site Permissions (restricted to specific sites rather than all sites), the View Devices privilege alone does not enable the Site Labels filter on the Devices page. Users with only View Devices enabled see a disabled Site Labels dropdown displaying "NO SITE LABELS" and cannot filter devices by site.

To enable Site Label filtering on the Devices page, also enable View Site Labels under the Site Labels and Distribution Zones privilege section. This grants access to Site Label metadata, which is required because Site Labels are shared across multiple Cloud Control Center components including Virtual Edges, Policy Groups, and device organization.

After enabling both View Devices (under Devices) and View Site Labels (under Site Labels and Distribution Zones), the Site Labels dropdown on the Devices page displays only the Site Labels permitted by the role's Site Permissions, and users can filter devices accordingly.

View Devices: Grants permission to view details of devices.

  • API Endpoints:
    • GET /api/identity-graph/v1/devices
    • GET /api/identity-graph/v1/devices/{id}
    • GET /api/identity-graph/v1/devices/count
    • GET /api/identity-graph/v1/devices/aggregate

Add Devices: Allows users to add new devices to the network.

  • API Endpoints:
    • POST /api/identity-graph/v1/devices

Edit Devices: Enables users to modify existing device configurations.

  • API Endpoints:
    • PUT /api/identity-graph/v1/devices/{id}
    • PUT /api/identity-graph/v1/devices/bulk

Delete Devices: Permits users to remove devices from the network.

  • API Endpoints:
    • DELETE /api/identity-graph/v1/devices/{id}
    • DELETE /api/identity-graph/v1/devices/bulk

RBAC Privileges - Policies and Security Profiles

Policies settings allow administrators to control access to policy configurations that define how network traffic is managed and secured. This is crucial for maintaining security protocols and ensuring compliance with organizational policies.

View Policies: Grants permission to view policy configurations.

  • API Endpoints:
    • GET /api/policy/v1/policy-sets/{policySetId}/policies

Create Policies: Allows users to create new simulated policies. If Activate Policies is also checked, users can create both simulated and active policies. 

  • API Endpoints:
    • POST /api/policy/v1/policy-sets/{policySetId}/policies

Edit Policies: Enables users to modify existing policies. This includes activating simulated and deactivating active policies. 

  • API Endpoints:
    • PUT /api/policy/v1/policy-sets/{policySetId}/policies/{policyId}

Activate Policies: This setting determines whether users are allowed to activate simulated policies, or by extension create new active policies. With this unchecked, users can only create simulated policies, assuming Create Policies is allowed.

  • API Endpoints:
    • DELETE /api/policy/v1/policy-sets/{policySetId}/policies/{policyId}

Delete Policies: Permits users to remove policies.

  • API Endpoints:
    • DELETE /api/policy/v1/policy-sets/{policySetId}/policies/{policyId}

Security Profiles settings manage the security configurations assigned to different users and devices, ensuring that appropriate security measures are applied consistently across the network.

View Security Profiles: Grants permission to view security profiles.

  • API Endpoints:
    • GET /api/policy/v1/security-profiles/{id}

Create/Duplicate Security Profiles: Allows users to create or duplicate security profiles.

  • API Endpoints:
    • POST /api/policy/v1/security-profiles

Edit Security Profiles: Enables users to modify existing security profiles.

  • API Endpoints:
    • PUT /api/policy/v1/security-profiles/{id}

Delete Security Profiles: Permits users to remove security profiles.

  • API Endpoints:
    • DELETE /api/policy/v1/security-profiles/{id}

RBAC Privileges - Policy Groups

Policy Groups settings allow for the management of both local and global policy groups. These settings are essential for organizing and applying security policies across different segments and sites within the network.

Note: The settings for Local Policy Groups are directly influenced by Site Permissions, restricting users to only the groups associated with the sites they have access to.

View Global Policy Groups: Grants permission to view global policy groups.

  • API Endpoints:
    • GET /api/policy/v2/policy-groups

Enable Global Policy Group Lock: Allows users to enable/disable auto-locking on Global Policy Groups.

  • API Endpoints:

    • PUT /api/policy/v2/policy-groups/{id}/unlock
      Unlock policy group

    • PUT /api/policy/v2/policy-groups/{id}/lock
      Lock policy group

Create Global Policy Groups: Allows users to create new global policy groups.

  • API Endpoints:
    • POST /api/policy/v2/policy-groups/dynamic
    • POST /api/policy/v2/policy-groups/network

Edit Global Policy Groups: Enables users to modify existing global policy groups.

  • API Endpoints:
    • PUT /api/policy/v2/policy-groups/network/{id}
    • PUT PUT /api/policy/v2/policy-groups/network/{id}

Delete Global Policy Groups: Permits users to remove global policy groups.

  • API Endpoints:
    • DELETE /api/policy/v2/policy-groups/{id}

View Local Policy Groups: Grants permission to view local policy groups.

Enable Global Policy Group Lock: Allows users with view-only permissions for Policy Groups to lock/unlock the Policy Groups.

Create Local Policy Groups: Allows users to create new local policy groups.

Edit Local Policy Groups: Enables users to modify existing local policy groups.

Delete Local Policy Groups: Permits users to remove local policy groups.

RBAC Privileges - Policy Group Labels and Policy Sets

Policy Group Labels settings manage the labels assigned to policy groups. This helps in organizing and categorizing policies effectively, making it easier to manage and apply them across the network.

View Policy Group Labels: Grants permission to view policy group labels.

  • API Endpoints:
    • GET /api/policy/v1/policy-group-label

Create Policy Group Labels: Allows users to create new policy group labels.

  • API Endpoints:
    • POST /api/policy/v1/policy-group-label

Edit Policy Group Labels: Enables users to modify existing policy group labels.

  • API Endpoints:
    • PUT /api/policy/v1/policy-group-label/{id}

Delete Policy Group Labels: Permits users to remove policy group labels.

  • API Endpoints:
    • DELETE /api/policy/v1/policy-group-label/{id}

Policy Sets settings allow for the grouping of multiple policies into sets, facilitating easier management and application of policies across different segments of the network.

View Policy Sets: Grants permission to view policy sets.

  • API Endpoints:
    • GET /api/policy/v1/policy-sets

Create/Duplicate Policy Sets: Allows users to create or duplicate policy sets.

  • API Endpoints:
    • POST /api/policy/v1/policy-sets

Edit Policy Sets: Enables users to modify existing policy sets.

  • API Endpoints:
    • PUT /api/policy/v1/policy-sets/{id}

Delete Policy Sets: Permits users to remove policy sets.

  • API Endpoints:
    • DELETE /api/policy/v1/policy-sets/{id}

RBAC Privileges - Virtual Edges

Virtual Edges settings manage the permissions related to virtual network components. This is essential for ensuring that only authorized users can configure or view the virtual segments of your network, which are crucial for network segmentation and security. These settings are also directly influenced by Site Permissions. Users can only access Virtual Edges and nodes associated with the sites they have permission to view.

View Virtual Edges and Nodes: Grants permission to view Virtual Edges and their Nodes.

  • API Endpoints:
    • GET /api/topology/v1/virtual-edges
    • GET /api/topology/v1/virtual-edge-nodes

Create Virtual Edges and Nodes: Allows users to create new Virtual Edges and Nodes.

  • API Endpoints:
    • POST /api/topology/v1/virtual-edges
    • POST /api/topology/v1/virtual-edge-nodes

Edit Virtual Edges and Nodes: Enables users to modify existing Virtual Edges and Nodes.

  • API Endpoints:
    • PUT /api/topology/v1/virtual-edges/{id}
    • PUT /api/topology/v1/virtual-edge-nodes/{id}

Delete Virtual Edges and Nodes: Permits users to remove Virtual Edges and Nodes.

  • API Endpoints:
    • DELETE /api/topology/v1/virtual-edges/{id}
    • DELETE /api/topology/v1/virtual-edge-nodes/{id}

Global Credentials: Create, modify, and delete Global Credentials. Passwords are never visible regardless of privileges.

  • API Endpoints:
  • PUT /api/topology/v1/global-credentials/{id}
    Update global credentials.
  • DELETE /api/topology/v1/global-credentials/{id}
    Delete global credentials.
  • GET /api/topology/v1/global-credentials
    Get global credentials
  • POST /api/topology/v1/global-credentials
    Create a new global credentials.
  • DELETE /api/topology/v1/global-credentials/bulk/delete
    Bulk delete credentials.

RBAC Privileges - Site Labels and Distribution Zones

Site Labels settings manage the permissions related to viewing and managing site labels within the Elisity platform. Site labels are used to categorize and organize various network entities, making it easier to apply and enforce policies.

Privilege: General permissions for managing site labels. (No specific API endpoints)

View Site Labels: Grants permission to view site labels.

Note: This privilege is also required for users with limited Site Permissions to use the Site Labels filter on the Devices page. See the Devices section above for details on this permission dependency.

Create Site Labels: Allows users to create new site labels

Edit Site Labels: Enables users to modify existing site labels.

Delete Site Labels: Permits users to remove site labels.

Distribution Zones settings manage the permissions related to distribution zones within the Elisity platform. Distribution zones are logical groupings that help in organizing and applying policies efficiently.

View Distribution Zones: Grants permission to view distribution zones.

Create Distribution Zones: Allows users to create new distribution zones.

  • API Endpoints:
    • POST /api/topology/v1/distribution-zones

Edit Distribution Zones: Enables users to modify existing distribution zones.

  • API Endpoints:
    • PUT /api/topology/v1/distribution-zones

Delete Distribution Zones: Permits users to remove distribution zones.

  • API Endpoints:
    • DELETE /api/topology/v1/distribution-zones/{id}

RBAC Privileges - Tools & Utilities

These settings grant access to Tools and Utilities in Cloud Control Center such as Policy Evaluator and Insights (Policy Group Recommendations and Creator)

View Policy Evaluator: Permits users to view the Policy Evalutator tool in Cloud Control Center within the Tools & Utilities menu.

API Endpoints

    • POST /api/policy/v1/evaluator/ip-lookup
      Evaluation Endpoint IP lookup
    • POST /api/policy/v1/evaluator/evaluate
      Evaluate Policy
    • POST /api/policy/v1/evaluator/evaluate/export
      Evaluate Policy and export result as CSV

Insights: Permits users to view the Policy Evalutator tool in Cloud Control Center within the Tools & Utilities menu.

No API Endpoints associated

RBAC Privileges - Analytics / Monitoring

Analytics / Monitoring settings control access to analytical data and event logs. This is important for monitoring network performance, security events, and for auditing purposes to ensure compliance with internal and external regulations.

Show "Analytics" tab in the Menu: Toggles the visibility of the Analytics tab in the main menu

Show "Monitoring" tab in the Menu: Toggles the visibility of the Monitoring tab in the main menu.

RBAC Privileges - Settings

Settings control various administrative and system-level configurations within the CCC. Proper management of these settings is critical for maintaining system integrity and ensuring that only authorized users can make significant changes.

Admin Settings

Admin settings are only available if the role has Site Permissions set to "All Sites".

View Admin Settings: Allows users to view the administrative settings.

Add Admin Settings: Permits users to add new administrative settings.

Edit Admin Settings: Enables users to modify existing administrative settings.

Delete Admin Settings: Allows users to delete administrative settings.

System Settings

Add/Modify Logo: Allows users to change or add a new logo.

View Email (Support Alerts): Grants permission to view support alert emails.

Add/Modify Email (Support Alerts): Enables users to add or change support alert emails.

View Advanced Options (Advanced): Provides access to view advanced system options.

Suppression List: Allows users to manage the suppression list.

Add/Edit Welcome Message: Permits the addition or modification of welcome messages.

RBAC Privileges - Connectors, Active Directory and Time Based Access

Connectors, Active Directory and Time Based Access settings manage the permissions related to connectors and agents that integrate with external systems, including Active Directory. This section is crucial for setting up integrations and ensuring seamless communication between the Elisity platform and other systems.

Privilege: Master control for connector-related privileges. When enabled, allows configuration of individual connector permissions.

View Connectors and Agents: Grants permission to view connectors and agents.

  • API Endpoints:
    • GET /api/ad-connector-service/v1/connectors

Add Connectors and Agents: Allows users to add new connectors and agents.

  • API Endpoints:
    • POST /api/ad-connector-service/v1/connectors

Edit Connectors and Agents: Enables users to modify existing connectors and agents.

Delete Connectors and Agents: Permits users to remove connectors and agents.

  • API Endpoints:
    • DELETE /api/ad-connector-service/v1/connectors/{nodeId}

View Users: Grants permission to view users associated with connectors and Active Directory.

View Custom Connector Inventory: Grants permission to view device records within Custom Connector instances.

  • UI Access: Users can view the Devices and Attributes table in Custom Connector details pages
  • API Endpoints:
    • GET /api/identity-graph/v1/custom-connector/{connectorId}/devices
    • GET /api/identity-graph/v1/custom-connector/{connectorId}/devices/{id}

Edit Custom Connector Inventory: Allows users to add, modify, and delete device records in Custom Connector instances. This permission is independent of general Device permissions.

  • UI Access: Users can use Add Single Device, Add Multiple Devices (spreadsheet upload), inline editing, and deletion operations
  • API Endpoints:
    • POST /api/identity-graph/v1/custom-connector/{connectorId}/devices (Create single device)
    • PUT /api/identity-graph/v1/custom-connector/{connectorId}/devices/{id} (Update single device)
    • DELETE /api/identity-graph/v1/custom-connector/{connectorId}/devices/{id} (Delete single device)
    • POST /api/identity-graph/v1/custom-connector/{connectorId}/devices/bulk (Bulk upload/merge)

This comprehensive overview of the RBAC settings in the Elisity CCC provides detailed information on how to configure and manage user permissions across various categories. Proper management of these settings ensures that users have the appropriate access levels necessary for their roles, enhancing both security and operational efficiency.

Was this article helpful?
0 out of 0 found this helpful