Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Role-Based Access Control Overview

    Junos Space Network Management Platform grants access and management privileges only to those users validated by its authentication process and given permissions by its authorization process.

    A Junos Space Super Administrator or User Administrator creates users and then assigns them one or more roles so that they are able to access and manage tasks and objects within workspaces in Junos Space Platform. The roles determine which workspace or workspaces a user can access and which tasks the user can perform within the workspace or workspaces.

    As a Junos Space Super Administrator or User Administrator, you can also create and assign API Access Profiles to restrict users from executing remote procedure call (RPC) commands that are potentially unsafe for or harmful to your network. Rules are added to an API Access Profile as XPath expressions that determine whether or not an RPC command is safe to be executed.

    User Authentication

    Through authentication, Junos Space Network Management Platform validates users on the basis of passwords or certificates. Junos Space Network Management Platform supports both local and remote user authentication. When a user tries to access Junos Space Network Management Platform, the user can be authenticated locally by confirming that the password entered by the user at login matches the password stored in the Junos Space Platform database or remotely through a RADIUS or TACACS+ server. For information about configuring RADIUS and TACACS+ servers for remote authentication and authorization, see Configuring a RADIUS Server for Authentication and Authorization and Configuring a TACACS+ Server for Authentication and Authorization.

    Junos Space Network Management Platform also supports certificate-based user authentication and X.509 certificate parameter–based user authentication. Instead of authenticating a user on the basis of the user’s credentials, you can authenticate a user on the basis of the user’s certificate, which is considered more secure. For more information about certificate-based authentication or certificate parameter–based authentication, see Certificate Management Overview.

    RBAC Enforcement

    With role-based access control (RBAC) enforcement, a Junos Space Super Administrator or User Administrator defines the workspaces that users can access, the system resources that users can view and manage, and the tasks available to users within a workspace. RBAC is enforced in the Junos Space user interface navigation hierarchy by workspace, task group, and task. A user can access only those portions of the navigation hierarchy that are explicitly granted through access privileges. The following sections describe RBAC enforcement behavior at each level of the user interface navigation hierarchy.

    RBAC Enforcement by Workspace

    The Junos Space user interface provides a task-oriented environment in which a collection of related tasks is organized by workspace. For example, the Users workspace defines the group of tasks related to managing users and roles. These tasks include creating, modifying, and deleting users, and assigning roles. Enforcement by workspace ensures that a user can view only those workspaces that contain the tasks that the user has permissions to execute. For example, a user who is assigned the device manager role, which grants access privileges to all tasks in the Devices workspace, can access only the Devices workspace. No other workspaces are visible to this user unless other roles are assigned to this user. If a user is assigned a role that grants access privileges to some tasks in a workspace, the user can view all the tasks in the workspace, but execute only the tasks for which permissions have been granted.

    RBAC Enforcement Not Supported on the Getting Started Page

    RBAC enforcement is not enabled for the contents of the Getting Started page. Consequently, a user who does not have certain access privileges can still view the steps displayed on the Getting Started page. For example, a user without privileges to manage devices still sees the Discover Devices step. However, when the user clicks the step, Junos Space Network Management Platform displays an error message to indicate that the user does not have the permission to access the workspace or tasks to which the step is linked.

    Modified: 2017-06-01