Each Avi Vantage user account is associated with a role. The role defines the type of access the user has to each area of NSX Advanced Load Balancer.
Roles provide granular Role-Based Access Control (RBAC) within Avi Vantage.
The role, in combination with the tenant (optional), comprise the authorization settings for an Avi Vantage user.
For each Avi Vantage system area, the role can be one of the following:
- Write: The user has full access to create, read, modify, and delete items. For example, the user may be able to create a virtual service, modify its properties, view its health and metrics, and later delete that virtual service.
- Read: The user can only read the existing configuration of the item. For example, the user can see how a virtual service is configured while being unable to view the current metrics, modify, or delete that virtual service.
- No Access: User can neither see nor modify this section of Avi Vantage. For example, the user is prohibited from creating, modifying, deleting, or even viewing (reading) any virtual services at all.
- Assorted: The user has multiple types of access within a system area.
Managing User Roles
Each user must be associated with at least one role. The role can be either predefined or a custom role. To view the different user roles,
From the UI, navigate to Administration > Roles. The pre-defined roles in NSX Advanced Load Balancer are listed. Each user role has different levels of access to different settings in NSX Advanced Laod Balancer.
Click the + icon in the table to expand the access settings for a role.
Click the Edit icon against a role to configure the access settings for the role, according to your requirement,
If multi-tenancy is configured, a user can be assigned to more than one tenant, and can have a separate role for each tenant.
Creating a Role
If none of the pre-defined roles exactly fit the access requirements for some user accounts, you can create custom roles according to your requirement.
To create a custom role,
Navigate to Administration > Accounts > Roles.
Click Create to open the New Role screen.
Under General, enter a Name for the role.
Configure the access for each system area under Role Access. By default, all the roles are set to no access.
To set access to all the resources within a system area, click the required access icon on the title row of the system row. For example, to provide write access to all the profiles, click the write icon in the title row for the Profiles system area:
To give write access for some resources, read access for some, and no access for some, click the relevant icon for each resource. Automatically, the assorted access is enabled in the title row on the system area, indicating multiple types of access.
Optionally, configure Label Filters for the role to provide object-based granular access.
Click Save to save the new role.
Note: Roles can only be created in the admin tenants.
Assigning a Role to a User
Roles can be assigned to both local and remote (LDAP, TACACS+) user accounts. The procedure differs depending on where the account is maintained.
Local User Account
Roles can be assigned to a user account when the account is created or at any time later. In either case, select the role from the Role pull-down list in the configuration popup for the user account.
- Navigate to Administration > Accounts > Users.
- If configuring a new account, click on Create. Otherwise, if changing an existing account, click on the Edit icon in the row for the account.
- Select the role from the Role pull-down list. If a custom role is needed but is not created, click on Create.
User accounts are case-sensitive.
LDAP or TACACS+ User Accounts
If LDAP or TACACS+ remote authentication is used, roles can be assigned to users based on the following:
- LDAP group: A role can be assigned to users in any group, or specifically to users who either are or are not members of specific groups.
- LDAP attributes: For users who match the LDAP group filter, the role is assigned to those users with any attributes and values, or who either do or do not have specific attributes and values.
The mappings are configured within Avi Vantage rather than the LDAP or TACACS+ server.
To map LDAP or TACACS+ users to Avi Vantage roles, use the following steps. Multiple mappings can be configured if needed, for any combination of user group name and attribute:value pair.
- These steps assume that Avi Vantage authentication/authorization is set to remote, and an LDAP or TACACS+ Auth profile has been applied.
- Group names are case-sensitive for LDAP mapping.
- Navigate to Administration > Settings > Authentication/Authorization.
- Click on New Mapping.
- Select the filter for the LDAP group:
- Any: Users in any LDAP group match the filter.
- Member: Users must be members of the specified groups. If entering multiple group names, use commas between the names.
- Not a Member: Users must not be members of the specified groups.
- Select the filter for the LDAP attribute:
- Any: Users match regardless of attributes or their values.
- Contains: User must have the specified attribute, and the attribute must have one of the specified values.
- Does Not Contain: User must not have the specified attribute and value(s).
- Select the role from the User Role pull-down list:
- From Select List: Displays a Roles pull-down list. Select the role from the list.
- All: Assigns all roles.
- Matching Attribute Value: Assigns the role whose name matches an attribute value from the LDAP server.
- Matching Group Name: Assigns the role whose name matches a group name on the LDAP server.
- If using multitenancy, users also can be mapped to tenants. Read more about tenants and tenancy tenant.
- Click on Save. The new mapping appears in the Tenant and Role Mapping table.