Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

User / Role Management Introduction

Overview

You need a user (profile) to work in the Apstra GUI environment. The areas in the environment that you can access and/or change are determined by the roles assigned to you as a user. Apstra ships with one predefined user called admin that's assigned the administrator role. The administrator role is one of the five predefined roles as shown in the table below:

Table 1: Predefined User Roles

Role

Permissions

administrator

Includes all permissions.

device_ztp

Includes one permission, to edit ZTP. For setting up Apstra ZTP server, We recommend creating a dedicated user and assigning only this role.

License_reader

Includes one permission, to read Juniper Apstra Licenses.

user

Includes permission to view and edit various elements including permission to create users.

viewer

Includes permission to only view various elements.

You can't modify predefined roles, but if you have Write/Read Roles permission you can create custom roles. The admin user has this permission; you can also create a user and assign it with the Write/Read Roles permission.

You can't modify the predefined admin user, but if you have Read/Write Users permission you can create custom users. The admin and user users have this permission; you can also create a user and assign it with the Read/Write Users permission

Each role applies to one of three different permission types, as shown in the table below.

Table 2: User Role Permission Types

Permission Type

Permissions

Global

Pertains to Apstra details other than blueprint details. They include general blueprint read, write, commit and delete permissions as well as permissions for platform, external systems, resources, design, devices, and more.

Granular

Includes blueprint-related permissions for all blueprints or for selected blueprints.

Tenant

Includes permissions based on routing zones.

For more details about the permissions included in each type, see the sections below.

Global Permissions

Blueprints

Includes permissions for the following:

  • Allow overriding other users staged changes and unlocking the blueprint (write only)

  • Blueprints (read, write, commit, delete)

  • Connectivity Templates (read only)

  • Show information about user who locked blueprint (read only)

Devices

Includes permissions for the following:

  • Agents (read, write)

  • Chassis Profiles (read, write)

  • Device Profiles (read, write)

  • Devices (read, write)

  • Linecard Profiles (read, write)

  • ZTP (read, write)

Design

Includes permissions for the following:

  • Config Templates (read, write)

  • Configlets (read, write)

  • Interface Maps (read, write)

  • Logical Devices (read, write)

  • Port Aliases (read, write)

  • Property Sets (read, write)

  • Rack Types (read, write)

  • Tags (read, write)

  • Templates (read, write)

Resources

Includes permissions for the following:

  • ASN Pools (read, write)

  • Integer Pools (read, write)

  • IP Pools (read, write)

  • IPv6 Pools (read, write)

  • VNI Pools (read, write)

AAA

Includes permissions for the following:

  • Audit Config (read, write)

  • Audit Events (read only)

  • Roles (read, write)

  • Security Config (read, write)

  • Users (read, write)

Analytics

Includes permissions for the following:

  • Flow Data Collectors (read, write)

  • Juniper Apstra Query Based Analytics (read only)

  • Telemetry Service Registry (read, write)

External Systems

Includes permissions for the following:

  • AAA Providers (read, write)

  • Virtual Infra Manager (read, write)

Platform

Includes permissions for the following:

  • Exempt Juniper Apstra Cluster Management read-only mode (write only)

  • Juniper Apstra Cluster Management (read, write)

  • Juniper Apstra Licenses (read, write)

  • Juniper Apstra Metric Logs (read only)

  • Streaming (read, write)

  • Sysdb Data (read, write)

Other

Includes permissions for the following:

  • Connector Types (read only)

  • Graph Queries (read, write)

  • Juniper Apstra Software Support Reference Number (read, write)

  • Login Message (write only) (New in Apstra version 5.1.0)

  • Port Setting Schema (read only)

  • Product Usage (read, write)

  • Telemetry RPC Schema Registry (read only)

  • Tenants (read only)

Granular Permissions

You can apply granular permissions to all blueprints or to selected blueprints.

Common Permissions

Includes permissions for the following:

  • Read blueprint

  • Make any change to staging blueprint

  • Allow overriding other users staged changes and unlocking the blueprint

  • Commit changes

  • Show information about user who locked blueprint

Datacenter-specific Permissions

Includes permissions for the following:

  • Manage tenants

  • Manage racks and links (permission to create/delete to-generic racks, bring interface up/down, and more)

  • Manage resource groups

  • Manage routing zones

  • Manage generic systems (controls various generic-related FFE operations like adding/removing to-generic links, changing port-channels to generic, creating/deleting external generics, changing generic type, bringing interfaces up/down, and more)

  • Manage virtual networks (includes managing VN endpoints)

  • Manage virtual network endpoints

Freeform-specific Permissions

Includes permissions for the following:

  • Manage property sets

  • Manage resources

Tenant Permissions

You can apply tenants permissions to tenants.

Tenant-specific Permissions

Includes permissions for the following:

  • Manage resource groups

  • Manage routing zones

  • Manage virtual networks

  • Manage virtual network endpoints

Related Documentation