Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Platform RBAC

With Enhanced Role Based Access Control (RBAC), you can create hierarchical roles and protect against accidental changes to the network.

External Groups

You can map roles to external groups used by authentication providers such as LDAP, Active Directory, TACACS+, and RADIUS.

With Enhanced Role Based Access Control (RBAC), you can also create hierarchical roles and protect against accidental changes to the network.

For example, a user assigned the role Manage generic systems can add generic systems, copy existing generics, add links to generic systems, add links to leaf devices, and update node tags. A user assigned the role Manage racks and links can perform all those operations plus they can change rack speeds and delete links. A user with the Manage racks and links role essentially has permissions for all FE/FFE operations. If you want to restrict a user to physical server operations only, assign them the Manage generic systems role, and not the Manage racks and links role.

See below for additional use cases and details about the blueprint locking feature.

Use Cases

These use cases are meant to give you an idea of how to work with roles and users to restrict and/or grant specific permissions. Specific steps for creating roles and users are described in earlier sections.

Read and Write All Resources

To allow a user to read and write all resources, create a Global Permissions role with Read and Write permissions for each of the Resources listed. Assign the role to the user.

Tip: Toggle on Read and Write in the Resources row to toggle on all resources automatically.

Read, Write and Commit Blueprints

To allow a user to read, write and commit blueprint(s), create a Granular Permissions role with the following Common Permissions:

  • Read blueprint

  • Make any change to staging blueprint

    • (Manage virtual networks under Datacenter-specific Permissions is included as part of above role whether or not it is toggled on.)

    • (Manage virtual network endpoints under Datacenter-specific Permissions is included as part of above role whether or not it is toggled on.)

  • Commit changes

Assign the role to the user.

Manage VN Endpoints on Blueprints

To allow a user to only manage virtual network endpoints on blueprint(s), create a Granular Permissions role with Read blueprint Common Permissions and Manage virtual network endpoints Datacenter-specific Permissions. Assign the role to the user.

Create Virtual Networks only (not Including Allocating Resources) on Blueprints

To allow a user to only create virtual networks and read blueprint details, create a Granular Permissions role with Read blueprint and Commit changes Common Permissions; and Manage virtual networks and Manage virtual network endpoints Datacenter-specific Permissions. By not selecting Make any change to staging blueprint you are limiting the changes that can be made to virtual networks only. Assign the role to the user.

.

Create Virtual Networks and Allocate Resources on Blueprints

To allow a user to create virtual networks and allocate resources to them, you can create a single role with all of the permissions, or you can assign several previously created roles as follows:

  • Read and Write Resources on all Blueprints (described in previous section)

  • Create Virtual Networks Only (not Including Allocating Resources) (described in previous section) with the addition of toggling on Make any change to staging blueprint. This also permits a user with this role to make other changes besides virtual network changes.

Automatic Blueprint Lock

The automatic blueprint locking feature prevents restricted users (based on their roles) from making changes that effectively are not permitted. In particular, a restricted user should not be able to commit changes made by another user.

Unlocked

If a blueprint has no changes to commit, it's unlocked, and you're free to stage any blueprint changes that you have permission to stage.

Locked by current user

If the blueprint is unlocked and you stage changes, the blueprint locks and prevents others from staging changes (unless they have permission to override), but you can continue to stage additional changes. When you commit your changes, the blueprint unlocks automatically.

Locked by other user

If someone else has staged changes in the blueprint and you don't have permission to see who it is, you'll see the message Locked by other user. You won't be able to make any changes to the blueprint (unless you have permission to override) until the blueprint is unlocked.

Locked by [user's name]

If someone else has staged changes in the blueprint and one of your Global Permissions / Blueprints roles is Show information about user who locked blueprint you'll see the message Locked by [the user's name]. In the example below, the user's name is "ShowOverrideUser". You won't be able to make any changes to the blueprint until the blueprint is unlocked. This is assuming you don't also have the Allow overriding other users staged changes and unlocking the blueprint permission. If you do, you'll see the message in the next section.

Locked by [user's name], but the lock can be overridden since you have override lock permissions for this blueprint

If someone else has staged changes in the blueprint and you're assigned the Global Permissions / Blueprints roles Show information about user who locked blueprint and Allow overriding other users staged changes and unlocking the blueprint, you will see the message Locked by [the user's name], but the lock can be overridden since you have override lock permissions for this blueprint. In the example below the user's name is "ShowOverrideUser". You can unlock the blueprint and make any changes to the blueprint. You'll see a message reminding you that someone else has staged changes. Be careful about overriding those changes.

Manual Blueprint Lock

Aside from blueprints automatically being locked/unlocked, if you have permission to stage blueprint changes, you can manually lock and unlock blueprints (as of Apstra version 5.1.0).

Unlocked

If a blueprint has no changes to commit, it's unlocked, and you're free to manually lock the blueprint or stage blueprint changes to automatically lock it.

Locked by current user

If the blueprint is unlocked you can manually lock the blueprint by clicking the Lock button (shown in screenshot above). The blueprint lock prevents others from staging changes (unless they have permission to override).

Locked by current user (the lock will not be released upon commit)

When you manually lock a blueprint then stage any change, the message when hovering over the Unlock button changes to 'remind' you that you locked the blueprint and it will remain locked until you manually unlock it by clicking the Unlock button.

Locked by other user

If someone else has locked a blueprint and you don't have permission to see who it is, you'll see the message Locked by other user. You won't be able to make any changes to the blueprint until the blueprint is unlocked (unless you have permission to override).

Locked by [user's name]

If someone else has manually locked a blueprint and one of your Global Permissions / Blueprints roles is Show information about user who locked blueprint you'll see the message Locked by [the user's name]. In the example below, the user's name is "ShowOverrideUser". You won't be able to make any changes to the blueprint until the blueprint is unlocked. This is assuming you don't also have the Allow overriding other users staged changes and unlocking the blueprint permission. If you do, you'll see the message in the next section.

Locked by [user's name], but you can unlock blueprint since you have override lock permissions for this blueprint

If someone else has manually locked a blueprint and you're assigned the Global Permissions / Blueprints roles Show information about user who locked blueprint and Allow overriding other users staged changes and unlocking the blueprint, you will see the message Locked by [the user's name], but you can unlock blueprint since you have override lock permissions for this blueprint. In the example below the user's name is 'admin'. You can unlock the blueprint and make any changes to the blueprint. You'll see a message reminding you that someone else has staged changes. Be careful about overriding those changes.