Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Add Access Control Profile Policies

This topic describes the operators, conditions, and rules for adding an access control policy, with examples.

An access control policy in an access control profile defines the resources and the conditions for accessing the resources. You can define conditions for accessing the following resources in an access control policy:

  • Devices

  • Network services

  • Tagging operations

Note:

The resources must be used as Device, NetworkService, and Tagging in a policy.

For details of operations that can be access controlled on devices, network services, and tagging operations, see Table 1.

For information on adding an access control profile, see Access Control Profile Overview.

Condition Operators Supported in a Policy

Table 1 lists the operators that you can use in an access control policy.

Table 1: Access Control Policy Operators
Operator Description Example

StringEquals

Use for string equals comparison of tags assigned to resources. More than one tag in a condition results in AND operation of the tags.

When the example condition is used in a policy and assigned to a network administrator (user in rest of the topic), the user will have access to all devices and network services with tag device:Juniper and site:NY.

 
...
"conditions": {
    "StringEquals": {
        "device": "Juniper",
        "site": "NY"
    }
}
...

ForAnyValues:StringEquals

Use for string equals comparison of tags assigned to resources. More than one tag in a condition results in OR operation of the tags.

When the example condition is used in a policy and assigned to a user, the user will have access to devices and services tagged with device:Juniper or site:NY.

 
...
"conditions": {
    "ForAnyValues:StringEquals": {
        "device": "Juniper",
        "site": "NY"
    }
}
...

StringResembles

Use for string resembles comparison of tags assigned to resources. You can use the wildcard character asterisk (*) at the beginning or at the end of the tag key and tag value.

More than one tag in a condition results in AND operation of the tags.

When the example condition is used in a policy and assigned to a user, the user will have access to devices and services tagged with keys starting with depart and values ending with st, such as department:Test.

 
...
"conditions": {
    "StringResembles": {
        "depart*": "*st"
    }
}
...

ForAnyValues:StringResembles

Use for string resembles comparison of tags assigned to resources. You can use the wildcard character (*) at the beginning and end of the tag key and tag value.

More than one tag in a condition results in OR operation of the tags.

When the example condition is used in a policy and assigned to a user, the user will have access to devices and services tagged with keys starting with depart and values ending with st, such as department:Test or state:in-maintenance or state:under-maintenance. 

...
"conditions": {
    "ForAnyValues:StringResembles": {
        "depart*": "*st",

        "state": "*-maintenance",
    }
}
...
Note:

StringResembles and ForAnyValues:StringResembles operator supports wildcard character (*) only at the beginning or at the end of a tag key or tag value. If you use * as the tag value in a condition, then any value is matched. For example:

  • us-* for matching us-west, us-east, and so on

  • *engineering for matching test-engineering and support-engineering, and so on)

  • * for matching any value like us, europe, or K2 peak

Restrict Tagging Privilege using Condition Overrides

Routing Director allows a superuser to enable users to assign tags. See Privilege Escalation for details.

To restrict the privilege of assigning tags, Routing Director provides key override constructs. Use the key override constructs as follows:

  • internal.tag.keys—Use to provide a list of tag keys as conditions when tagging is specified as a resource in a policy.

    The below sample policy, when used in a profile and assigned to a user, will allow the user to: .

    • Assign tags with department and role keys to resources. For example, department:Sales and role:Sales

    • Create tags with key department and role.

  • internal.tag.constraints—Use to restrict the tagging operation to a specific set of resources instead of allowing unrestricted tagging on all resources.

    For example, the following condition in a policy would allow a user to access any resource tagged with department:IT, CTO, or CFO AND vendor:Juniper, and tag such a resource only if the resource had keys region or type.

    Note:

    Keys specified in internal.tag.keys cannot be the same as any of the keys specified in internal.tag.constraints. This is to prevent privilege escalation. See Privilege Escalation for details on privilege escalation.

  • internal.network-service.design-id—Use to provide service design IDs such as infrastructure, elan-evpn-csm, l3vpn, and so on.

    For example, when you assign the following profile to a user, the user can create, update, or delete L3VPN service instances.

Rules for Adding Policies to a Profile

You must consider the following points while creating an access control policy. Otherwise, Routing Director considers the policies as ambiguous:

  • An access control policy with Tagging resource must contain at least one internal.tag.keys construct. The internal.tag.keys construct should not be combined with other tagging conditions in the same condition block. This is to prevent privilege escalation. If you combine internal.tag.keys construct and other tagging conditions in the same condition block, Routing Director considers the policy as ambiguous and does not process it.

    For example, when the following profile is applied to a user, the user can assign department and vendor tags to any device or network service. However, the internal-tag-constraints restricts the user to assign the department and vendor tags to resources with region:US, region:Canada or region:France tag.

  • If the resources list includes a network service, then the condition must include internal.network-service.design-id to indicate the service design ID that a user can access.

    For example, when the policy is applied to a user, the user can create, update, or delete a service instance of service design type elan-evpn-csm tagged with the region:europe tag.

  • If the resources list includes a device, the policy conditions should include at least one tag for the device.

    For example, when the policy is applied to a user, the user can access devices with tag region:Europe or MiddleEast AND role:PE.

    For example:

  • Use of wildcards for internal.network-service.design-id construct when using StringResembles and ForAnyValues:StringResembles operator is not supported.

    For example, Routing Director would not be able to resolve the following policy:

  • Do not start a tagging policy condition with the ForAnyValues operator.

    For example, Routing Director would not be able to resolve the following policy:

  • Use wildcard comparison only with StringResembles or ForAnyValues:StringResembles operators. With StringEquals or ForAnyValues:StringEquals, the comparison is always string comparison even if you use wildcard characters.

  • The same tag keys cannot be used in the internal.tag.keys and internal.tag.constraints. This is to prevent privilege escalation. Use internal.tag.keys only with the StringEquals operator.

    For example, the following condition in a policy would allow a user to access any resource tagged with department:IT, CTO, or CFO AND vendor:Juniper, and tag such a resource only with keys region and type.

Related Documentation