Configuring Role-Based Access Control

  1. In the Web UI, go to Configuration > Users and Groups.
  2. Click Manage Authentication Settings.
  3. Enter all information relating to your RADIUS or LDAP server as follows:

    RADIUS

    • RADIUS Enabled–True or False
    • RADIUS Server–Enter the FQDN, hostname, or IP address of the RADIUS server.
    • RADIUS Secret–Enter the RADIUS shared secret.
    • RADIUS Timeout–Enter the timeout, in seconds, for RADIUS operations.

    LDAP

    • LDAP Enabled–True or False
    • LDAP Server–Enter the FQDN, hostname, or IP address of the LDAP server.
    • LDAP Base DN–Enter the base Distinguished Name (DN) of the highest level tree on which you wish to support LDAP.
    • LDAP TSLS Enabled-True or False–Whether or not to use Transport Layer Security (TLS) when making LDAP connections.
    • LDAP TLS CA Certificate–Enter the CA certificate used to authenticate the certificate provided by the LDAP server.
    • Use LDAP for Authentication-True or False–Whether or not to use LDAP for Authentication or just for user information.
    • LDAP Bind DN–Enter the bind distinguished name (DN) for connecting to the LDAP server.
    • LDAP Bind Password–-Enter the password to be used when binding to the LDAP server.
  4. Click Save. You should now see the corresponding service as Enabled under the Authentication section of Users and Groups.
  5. The next step is to configure roles for various users. By default, the user mykonos is enabled and given the role Super Administrator. To add additional users, click the Add User link.
  6. You are prompted to enter a Username and you are given a choice of which groups you want the user to inherit. A complete description of all roles is available by clicking View Role Descriptions beneath the Roles drop down list. A more simplistic table of roles and their corresponding permissions can be found in Appendix D, RBAC Groups and Roles.

    Figure 40: Users and Groups, Add User

    Users and Groups, Add User

    Figure 41: Assigned Roles

    Assigned Roles

Note: Because WebApp Secure doesn't actually create users on the appliance itself but merely maps the username to the given permissions, the only way to effectively remove the user is to strip them from all roles. After removing roles and saving, the entry in the Authorization table is removed.

Note: WebApp Secure doesn't allow the last RBAC Administrator role to be deleted. It is possible to remove your own permissions, though, essentially locking you out of the system. Similarly, re-initializing the configuration settings will wipe out all user-role mappings, and the mykonos user will be the only one able to assign roles.

Note: Any violations of access control (a user trying to access some part of the system they aren't configured to access) will be logged to the audit log.

Related Documentation