Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


User/Role Management (Platform)

User Profile Management

User profiles include the following details and options:

  • Username
  • First Name (optional)
  • Last Name (optional)
  • Email (optional)
  • Password
  • Roles

Creating a user in the Apstra GUI does not provide that user access to the Apstra platform via SSH. To access the Apstra platform via SSH, you must create a local Linux system user.

From the left navigation menu in the Apstra GUI, navigate to Platform > User Management > Users to go to user profiles.

User Role Management

Users with the administrator role can create, clone, edit and delete user roles (which are assigned to user profiles). These roles can also be mapped to external groups used by authentication providers such as LDAP, Active Directory, TACACS+, and RADIUS.

With Enhanced Role Based Access Control, you can create blueprint-specific roles with very specific privileges allowing limited control to associated users. This allows you to create more hierarchical roles and protect against accidental changes to the network.

For example, a user assigned the role Manage generic systems can add generic systems, copy existing generics, add links to generic systems, add links to leaf devices, and update node tags. A user assigned the role Manage racks and links can perform all those operations plus they can change rack speeds and delete links. A user with the Manage racks and links role essentially has permissions for all FE/FFE operations. If you want to restrict a user to physical server operations only, assign them the Manage generic systems role, and not the Manage racks and links role.

The blueprint locking feature prevents restricted users (based on their roles) from making changes that effectively are not permitted. In particular, a restricted user should not be able to commit changes made by another user.

If a blueprint has no changes to commit, it is unlocked.

If you have permission (based on the your assigned roles) to create/update/delete virtual networks, for example, and another user has made uncommitted changes to the blueprint, the blueprint is locked. You can't create/update/delete virtual networks until the changes are committed or reverted by the locking user who made the uncommitted changes, unless you are the locking user.

If you have permission (based on your assigned roles) to see the name of the user who created the pending changes, the name is displayed.

An admin user who has "Write/Commit Blueprints" permissions can make any changes to, apply changes for, revert changes for any blueprint.

User roles include the following details and options:

Parameter Description
Name role name
Type global permission or per-blueprint permissions
Global Permissions (read, write, commit, delete, as applicable)

blueprints, connectivity templates, agents, chassis profiles, device profiles, devices, linecard profiles, telemetry service registry, ztp, config templates, configlets, interface maps, logical devices, port aliases, property sets, rack types, tags templates, ASN pools, Integer pools (new in Apstra version 4.1.2), IP pools, IPv6 pools, VNI pools, audit config, audit events, roles, security config, users, AAA providers, virtual infra manager, exempt Juniper Apstra cluster management read-only mode, Juniper Apstra cluster management, Juniper Apstra metric logs, streaming, SysDB data, port setting schema

Per-Blueprint Permissions
  • Scope
    • All blueprints

    • Selected blueprints

  • Permissions
    • Read blueprint
    • Make any changes to staging blueprint (includes managing VNs and their endpoints)
    • Commit changes
    • Read information about user who locked blueprint
    • Datacenter-specific: Manage racks and links
    • Datacenter-specific: Manage generic systems
    • Datacenter-specific: Manage virtual networks (includes managing VN endpoints)
    • Datacenter-specific: Manage virtual network endpoints
    • Freeform-specific: Manage property sets (new in Apstra version 4.1.2)

    • Freeform-specific: Manage resources (new in Apstra version 4.1.2)

From the left navigation menu, navigate to Platform > User Management > Roles to go to user roles. You can create, clone, edit, and delete user roles, except for the four predefined user roles (administrator, device_ztp, user, viewer) which can't be modified.