Setting Up Identity and Access Management (IAM) Using Role-Based Access Control (RBAC) in Cloud Control Center

This article is designated as Private KB Access.

 

Introduction

This Knowledge Base article provides a comprehensive guide on setting up Identity and Access Management (IAM) using Role-Based Access Control (RBAC) within Cloud Control Center (CCC). This setup applies to both the CCC UI and access to API endpoints, ensuring secure and efficient management of user permissions.

 

Prerequisites

Before you start, ensure you have administrative access to the Cloud Control Center and any necessary permissions in your external Identity Provider (IDP) if you plan to integrate one.

 

Steps to Set Up IAM Using RBAC

Use our Virtual Tour of Cloud Control Center IAM configuration via RBAC, or read below to learn about how to configure Identity and Access Management using RBAC.

 

 

1. Accessing the RBAC Settings

  1. Log into Cloud Control Center (CCC): Use your administrative credentials to log into the CCC.
  2. Navigate to Settings: From the main dashboard, go to the Settings tab.
  3. Open Role Based Access Control Settings: Under the ADMIN section, select Role Based Access Control.

 

2. Configuring Roles and Assigning Permissions

Create Roles:

  • Click on Create Role.
  • Enter a name for the role (e.g., Full Administrator, Site DAL Read Only).
  • Optionally, Enable All Privileges to allow access to all features and API Endpoints in Cloud Control Center. You can use this to start with open privileges and narrow down specific privileges, or leave the checkbox unselected to start with minimal privileges. 
  • Click Create to begin configuring specific privileges.

 

Notice that once you create an RBAC role, you can see more details about the role by clicking the information icon. Information such as who created or modified the role, when it was created or modified, and how many users or API clients are actively using the role.

 

 

Managing RBAC Roles

Clicking on the more options icon (three vertical dots) shows options for managing RBAC roles.

Here's a summary of the available options:

Edit Role Name: Allows you to modify the name of an existing role.

This is useful for updating role names to better reflect the responsibilities or access levels associated with the role without altering its permissions.

Clone Role: Creates a duplicate of an existing role.

This is beneficial for creating a new role with similar permissions to an existing one. The cloned role can then be customized further if needed, saving time compared to creating a new role from scratch.

Delete Role: Permanently removes an existing role from the system.

This option should be used when a role is no longer needed. Deleting a role ensures it is no longer available for assignment, helping to maintain an organized and relevant set of roles within the RBAC system.

 

These options provide flexibility in managing user roles, allowing administrators to update, replicate, and remove roles as needed to align with organizational changes and security policies.

 

Selecting Role-Based Access Control (RBAC) Privileges

RBAC settings in the Elisity Cloud Control Center (CCC) provide a way to manage user permissions and access to various features and resources within the platform. Here’s a detailed look at each category and its settings, explaining their importance and functionality, along with the specific API endpoints affected by each privilege.

Assign Privileges to Roles:

  • Define permissions by selecting the appropriate checkboxes for read, edit, create, and delete actions for each category.
  • Assign specific resources to the role. Resources can include dashboards, user management, policy settings, etc.
  • Each resource can have different scopes (e.g., read-only, full access).

RBAC Privileges - Site Permissions

Site Permissions control access to different sites within your organization's network. Restricting access to specific sites for a role ensures that users can only interact with the sites relevant to their roles, enhancing security and operational efficiency. This restriction applies to any component of the Elisity Platform that utilizes Site Labels, including devices, Local Policy Groups, and Enforcement Infrastructure like Virtual Edges and VENs.

  • Privilege: Grants general permissions for managing site access. (No specific API endpoints)
  • View Sites: Allows users to view site details. By default, all sites are visible unless specific sites are selected.
    • API Endpoints:
      • GET /api/sites

 

RBAC Privileges - Devices

Devices settings manage access to information and controls related to the devices within your network. Properly configuring these permissions ensures that only authorized personnel can view, add, edit, or delete devices, maintaining the integrity and security of your network infrastructure. It's important to note that these settings are directly influenced by Site Permissions. Users can only access devices associated with the sites they have permission to view.

 

View Devices: Grants permission to view details of devices.

  • API Endpoints:
    • GET /api/identity-graph/v1/devices
    • GET /api/identity-graph/v1/devices/{id}
    • GET /api/identity-graph/v1/devices/count
    • GET /api/identity-graph/v1/devices/aggregate

Add Devices: Allows users to add new devices to the network.

  • API Endpoints:
    • POST /api/identity-graph/v1/devices

Edit Devices: Enables users to modify existing device configurations.

  • API Endpoints:
    • PUT /api/identity-graph/v1/devices/{id}
    • PUT /api/identity-graph/v1/devices/bulk

Delete Devices: Permits users to remove devices from the network.

  • API Endpoints:
    • DELETE /api/identity-graph/v1/devices/{id}
    • DELETE /api/identity-graph/v1/devices/bulk

 

RBAC Privileges - Policies and Security Profiles

 

Policies settings allow administrators to control access to policy configurations that define how network traffic is managed and secured. This is crucial for maintaining security protocols and ensuring compliance with organizational policies.

 

View Policies: Grants permission to view policy configurations.

  • API Endpoints:
    • GET /api/policy/v1/policy-sets/{policySetId}/policies

Create Policies: Allows users to create new simulated policies. If Activate Policies is also checked, users can create both simulated and active policies. 

  • API Endpoints:
    • POST /api/policy/v1/policy-sets/{policySetId}/policies

Edit Policies: Enables users to modify existing policies. This includes activating simulated and deactivating active policies. 

  • API Endpoints:
    • PUT /api/policy/v1/policy-sets/{policySetId}/policies/{policyId}

Activate Policies: This setting determines whether users are allowed to activate simulated policies, or by extension create new active policies. With this unchecked, users can only create simulated policies, assuming Create Policies is allowed.

  • API Endpoints:
    • DELETE /api/policy/v1/policy-sets/{policySetId}/policies/{policyId}

 

Delete Policies: Permits users to remove policies.

  • API Endpoints:
    • DELETE /api/policy/v1/policy-sets/{policySetId}/policies/{policyId}

Security Profiles settings manage the security configurations assigned to different users and devices, ensuring that appropriate security measures are applied consistently across the network.

View Security Profiles: Grants permission to view security profiles.

  • API Endpoints:
    • GET /api/policy/v1/security-profiles/{id}

Create/Duplicate Security Profiles: Allows users to create or duplicate security profiles.

  • API Endpoints:
    • POST /api/policy/v1/security-profiles

Edit Security Profiles: Enables users to modify existing security profiles.

  • API Endpoints:
    • PUT /api/policy/v1/security-profiles/{id}

Delete Security Profiles: Permits users to remove security profiles.

  • API Endpoints:
    • DELETE /api/policy/v1/security-profiles/{id}

 

RBAC Privileges - Policy Groups

Policy Groups settings allow for the management of both local and global policy groups. These settings are essential for organizing and applying security policies across different segments and sites within the network. The settings for Local Policy Groups are directly influenced by Site Permissions, restricting users to only the groups associated with the sites they have access to.

 

View Global Policy Groups: Grants permission to view global policy groups.

  • API Endpoints:
    • GET /api/policy/v2/policy-groups

Create Global Policy Groups: Allows users to create new global policy groups.

  • API Endpoints:
    • POST /api/policy/v2/policy-groups/dynamic
    • POST /api/policy/v2/policy-groups/network

Edit Global Policy Groups: Enables users to modify existing global policy groups.

  • API Endpoints:
    • PUT /api/policy/v2/policy-groups/network/{id}
    • PUT PUT /api/policy/v2/policy-groups/network/{id}

Delete Global Policy Groups: Permits users to remove global policy groups.

  • API Endpoints:
    • DELETE /api/policy/v2/policy-groups/{id}

View Local Policy Groups: Grants permission to view local policy groups.

Create Local Policy Groups: Allows users to create new local policy groups.

Edit Local Policy Groups: Enables users to modify existing local policy groups.

Delete Local Policy Groups: Permits users to remove local policy groups.

 

RBAC Privileges - Policy Group Labels and Policy Sets

Policy Group Labels settings manage the labels assigned to policy groups. This helps in organizing and categorizing policies effectively, making it easier to manage and apply them across the network.

 

View Policy Group Labels: Grants permission to view policy group labels.

  • API Endpoints:
    • GET /api/policy/v1/policy-group-label

Create Policy Group Labels: Allows users to create new policy group labels.

  • API Endpoints:
    • POST /api/policy/v1/policy-group-label

Edit Policy Group Labels: Enables users to modify existing policy group labels.

  • API Endpoints:
    • PUT /api/policy/v1/policy-group-label/{id}

Delete Policy Group Labels: Permits users to remove policy group labels.

  • API Endpoints:
    • DELETE /api/policy/v1/policy-group-label/{id}

 

Policy Sets settings allow for the grouping of multiple policies into sets, facilitating easier management and application of policies across different segments of the network.

 

View Policy Sets: Grants permission to view policy sets.

  • API Endpoints:
    • GET /api/policy/v1/policy-sets

Create/Duplicate Policy Sets: Allows users to create or duplicate policy sets.

  • API Endpoints:
    • POST /api/policy/v1/policy-sets

Edit Policy Sets: Enables users to modify existing policy sets.

  • API Endpoints:
    • PUT /api/policy/v1/policy-sets/{id}

Delete Policy Sets: Permits users to remove policy sets.

  • API Endpoints:
    • DELETE /api/policy/v1/policy-sets/{id}

 

RBAC Privileges - Virtual Edges

 

Virtual Edges settings manage the permissions related to virtual network components. This is essential for ensuring that only authorized users can configure or view the virtual segments of your network, which are crucial for network segmentation and security. These settings are also directly influenced by Site Permissions. Users can only access Virtual Edges and nodes associated with the sites they have permission to view.

 

View Virtual Edges and Nodes: Grants permission to view Virtual Edges and their Nodes.

  • API Endpoints:
    • GET /api/topology/v1/virtual-edges
    • GET /api/topology/v1/virtual-edge-nodes

Create Virtual Edges and Nodes: Allows users to create new Virtual Edges and Nodes.

  • API Endpoints:
    • POST /api/topology/v1/virtual-edges
    • POST /api/topology/v1/virtual-edge-nodes

Edit Virtual Edges and Nodes: Enables users to modify existing Virtual Edges and Nodes.

  • API Endpoints:
    • PUT /api/topology/v1/virtual-edges/{id}
    • PUT /api/topology/v1/virtual-edge-nodes/{id}

Delete Virtual Edges and Nodes: Permits users to remove Virtual Edges and Nodes.

  • API Endpoints:
    • DELETE /api/topology/v1/virtual-edges/{id}
    • DELETE /api/topology/v1/virtual-edge-nodes/{id}

Global Credentials: Create, modify, and delete Global Credentials. Passwords are never visible regardless of privileges.

  • API Endpoints:
  • PUT /api/topology/v1/global-credentials/{id}
    Update global credentials.
  • DELETE /api/topology/v1/global-credentials/{id}
    Delete global credentials.
  • GET /api/topology/v1/global-credentials
    Get global credentials
  • POST /api/topology/v1/global-credentials
    Create a new global credentials.
  • DELETE /api/topology/v1/global-credentials/bulk/delete
    Bulk delete credentials.

RBAC Privileges - Site Labels and Distribution Zones

Site Labels settings manage the permissions related to viewing and managing site labels within the Elisity platform. Site labels are used to categorize and organize various network entities, making it easier to apply and enforce policies.

Privilege: General permissions for managing site labels. (No specific API endpoints)

View Site Labels: Grants permission to view site labels.

Create Site Labels: Allows users to create new site labels

Edit Site Labels: Enables users to modify existing site labels.

Delete Site Labels: Permits users to remove site labels.

 

Distribution Zones settings manage the permissions related to distribution zones within the Elisity platform. Distribution zones are logical groupings that help in organizing and applying policies efficiently.

 

View Distribution Zones: Grants permission to view distribution zones.

Create Distribution Zones: Allows users to create new distribution zones.

  • API Endpoints:
    • POST /api/topology/v1/distribution-zones

Edit Distribution Zones: Enables users to modify existing distribution zones.

  • API Endpoints:
    • PUT /api/topology/v1/distribution-zones

Delete Distribution Zones: Permits users to remove distribution zones.

  • API Endpoints:
    • DELETE /api/topology/v1/distribution-zones/{id}

 

RBAC Privileges - Analytics / Events

Analytics / Events settings control access to analytical data and event logs. This is important for monitoring network performance, security events, and for auditing purposes to ensure compliance with internal and external regulations.

 

Show "Analytics" tab in the Menu: Toggles the visibility of the Analytics tab in the main menu

Show "Logs and Events" tab in the Menu: Toggles the visibility of the Logs and Events tab in the main menu.

 

RBAC Privileges - Settings

Settings control various administrative and system-level configurations within the CCC. Proper management of these settings is critical for maintaining system integrity and ensuring that only authorized users can make significant changes.

 

Admin Settings

 

View Admin Settings: Allows users to view the administrative settings.

Add Admin Settings: Permits users to add new administrative settings.

Edit Admin Settings: Enables users to modify existing administrative settings.

Delete Admin Settings: Allows users to delete administrative settings.

 

System Settings

 

Add/Modify Logo: Allows users to change or add a new logo.

View Email (Support Alerts): Grants permission to view support alert emails.

Add/Modify Email (Support Alerts): Enables users to add or change support alert emails.

View Advanced Options (Advanced): Provides access to view advanced system options.

Suppression List: Allows users to manage the suppression list.

Add/Edit Welcome Message: Permits the addition or modification of welcome messages.

 

RBAC Privileges - Connectors and Active Directory

Connectors and Active Directory settings manage the permissions related to connectors and agents that integrate with external systems, including Active Directory. This section is crucial for setting up integrations and ensuring seamless communication between the Elisity platform and other systems.

 

View Connectors and Agents: Grants permission to view connectors and agents.

  • API Endpoints:
    • GET /api/ad-connector-service/v1/connectors

Add Connectors and Agents: Allows users to add new connectors and agents.

  • API Endpoints:
    • POST /api/ad-connector-service/v1/connectors

Edit Connectors and Agents: Enables users to modify existing connectors and agents.

 

Delete Connectors and Agents: Permits users to remove connectors and agents.

  • API Endpoints:
    • DELETE /api/ad-connector-service/v1/connectors/{nodeId}

View Users: Grants permission to view users associated with connectors and Active Directory.

 

This comprehensive overview of the RBAC settings in the Elisity CCC provides detailed information on how to configure and manage user permissions across various categories. Proper management of these settings ensures that users have the appropriate access levels necessary for their roles, enhancing both security and operational efficiency.

 

3. Mapping Roles to Users

Add Users:

  • Go to the Users section in Settings.
  • Click on Add User and enter the user’s details (name, email, etc.).
  • Assign roles to the user by selecting from the list of predefined roles.
  • If you are using an external IDP, map the user’s groups in the IDP to the roles in CCC.

Map External IDP Roles:

  • If you are integrating with an external IDP (e.g., Google, Microsoft, GitHub), configure the IDP settings to map its groups to CCC roles.
  • Navigate to Identity Providers in IAM settings.
  • Add a new provider or edit an existing one.
  • Use the Role Mapping section to map IDP groups to CCC roles.

 

4. Setting Up API Access

Step 1 - Generate API Client Credentials:

  • For API access, navigate to the API Clients section under User Management.
  • Click on Add API Client.
  • Fill in the client details:
    • Select a role for the API client to inherit permissions.
    • Set the access duration or choose Set Unlimited Access.
    • Provide a description for the API client.
  • Click on Generate Credentials.

 

Step 2 - View and Copy Client Credentials:

  • Once the credentials are generated, you will see a dialog with the Client ID and Client Secret.
  • Copy the Client Secret and store it in a safe place, as you will not be able to retrieve it again.

 

Step 3 - Use API Client Credentials:

  • Use the generated client credentials (Client ID and Client Secret) to obtain a token when calling an API endpoint.
  • Include the token in your API requests to authenticate and authorize access.

 

Best Practices

Least Privilege Principle

  • Assign the minimum required permissions to roles to reduce security risks.
  • Importance: Minimizes potential damage from compromised accounts or insider threats.

Regular Audits

  • Conduct regular audits of roles and permissions to ensure they align with current organizational needs.
  • Importance: Keeps the system secure by identifying and rectifying unnecessary permissions.

Update Policies

  • Keep your IAM policies updated as your organization evolves or as new security threats emerge.
  • Importance: Ensures that your security measures stay effective against the latest threats.

Conclusion

By following this guide, you can set up a robust IAM system using RBAC within the Cloud Control Center. This ensures that users have appropriate access levels, enhancing both security and operational efficiency. For detailed configuration and additional settings, refer to the CCC documentation or reach out to your administrator.

Was this article helpful?
0 out of 0 found this helpful