Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Task 6: Assign and control resources and policies using role and resource based access for users



In this task, you will see how Contrail enables user based access to the resources in the cloud. Contrail has the ability to create, update, and delete objects or resources in the cloud environment based on the permissions assigned to a user. This improves security of your cloud resources and prevents unauthorized access.

Disclaimer: The steps in this task are only applicable to Juniper’s Cloud Software Trial tool.

Some values and/or information may vary for users executing this task using a non-Juniper trial tool.


Step-by-Step Procedure

  1. Login to the OpenStack dashboard

    Open a new tab in the browser and point it to

    Use the below credentials to login.

    Username: admin

    Password: contrail123.

  2. Navigate to Identity > Users using the left navigation panel.

    Click on (+) icon to create a new user

    Provide a User Name, Password, choose the Primary Project as “admin” & Role as “_member_”

    Click on “Create User”

    This creates a user called “test-user” with a user-defined password in “admin” project and “_member_” role

  3. Now, open the Contrail web interface in the browser by navigating to

    Then, login to the Contrail dashboard using the below credentials.

    Username: admin

    Password: contrail123

    Domain: (leave blank)

  4. Navigate to Configure > Infrastructure > RBAC > Project in the left navigation panel.

    Then, click on (+) icon to create a new API access

  5. Create a new RBAC rule to provide READ ONLY access to “test-user” with “_member_” role in “admin” project

    Verify, the rule was successfully created

  6. Now logout & log back in as “test-user”. You must be able to see all Contrail objects like Virtual networks, ports, etc. but you will not be able to Create/Delete/Update Contrail resources

    You can login as “admin” user & modify the existing RBAC API access rule to provide “test-user” Create/Delete/Update permissions.