Role-based Access for Application Owners
The enhancements made to the Role-based Access Control (RBAC) framework in the Illumio Core 20.1.0 release enable organizations to address several use cases related to application owners.
Overview
These enhancements include:
Delegation of policy writing to downstream application teams.
Assigning read-only privileges to application owners. Those users get read access based on the assigned scopes.
Flexibility to assign read/write or read-only privileges to the same user for different applications. For example, the same user can have read/write privileges in a staging environment but has read-only privileges in a production environment.
Although the RBAC controls in releases prior to Illumio Core 20.1.0 restricted "writes" based on user role and scope, users had visibility into all aspects of the PCE irrespective of the role. With these new RBAC controls, application owners get visibility into the applications within their assigned scopes, specifically the PCE information relevant to their applications. Depending on the user's role, application owners can:
Read/write policies to manage application segmentation.
View inbound and outbound traffic flows as well as use Explorer.
View labeled objects used in policies.
View details of global objects such as, IP Lists and Services used by their applications.
Benefits
The key benefits of the RBAC framework in the PCE are as follows:
Provides a label based approach to define user permissions.
Provides roles based on application owner personas to manage application segmentation.
Provides a building block based approach to stack permissions for users.
Offers flexibility to delegate read/write and read-only privileges to same user for different sets of applications.
Enables enforcement of least privilege by hiding information outside of an application scope.
Allows application owners to effectively manage segmentation for their applications.
Updates to Roles
Illumio Core provides two types of user roles - Global and Scoped. It also provides the ability to stack multiple roles for the same user. A PCE owner can assign multiple roles to the same user. The resulting set of permissions is the summation of all permissions included with each stacked. With these updates:
Existing scoped roles were enhanced to restrict reads by scope.
The new scope-based read-only role limits read access by labels.
Scoped users get limited visibility into objects 1-hop away (this applies to Explorer, App Group Maps, Rule Search, and Traffic).
Global read-only is disabled by default for new PCE installations.
PCE performance and scale enhanced to support concurrently active users.
Global Roles
Global roles allow the user to view everything and perform operations globally. The four Global roles are :
Global Organization Owner: Allowed to manage all aspects of the PCE, including user management.
Global Administrator: Allowed to manage most aspects of the PCE, except user management.
Global Viewer: Allowed to view everything within the PCE in a read-only capacity. This role was previously called "Global Read-only".
Global Policy Object Provisioner: Allowed to provision global objects that require provisioning, such as Services and Label Groups.
Scoped Roles
The Scoped roles are defined using labels. The permissions included with the assigned role apply only to the assigned scope, where the scope is defined using a combination of as many label types as you have defined (and with only one label value per type). To provide permissions to different applications for a user, each of the application scopes has to be added to the same user.
All the Scoped roles have been enhanced to restrict reads and writes by Scope. The Scoped roles are :
Ruleset Viewer: A new scope-based read-only role. A user with this role has read-only permissions within the assigned scope. The user can view policy, application groups, incoming and outgoing traffic, and labeled objects, such as workloads, within the assigned scope.
Ruleset Manager (Limited or Full): An existing scope-based read/write role. A user with this role can read/write policy within the assigned scope. The user can also view application groups, incoming and outgoing traffic, and labeled objects within the assigned scope.
Ruleset Provisioner: This role allows a user to provision changes to scoped objects, provided the objects are inside the user's assigned scope. A user with this role can also provision changes to policies within the assigned scope. The user can also view application groups, incoming and outgoing traffic, and labeled objects within the assigned scope.
Workload Manager: This role allows a user to perform workload-specific operations such as pairing, unpairing, label assignment, and changing policy state. A user with this role cannot view policies and traffic and cannot provision changes.
Configuration
The Global Read-only user setting should be disabled to enforce scoped reads for users with scoped roles. To disable this setting, make sure that the Read Only User setting under Access Management > Global Roles > Global Viewer is set to Off.
Note
In PCE versions 20.1.0 and higher, the Global Read-only user setting is disabled by default.
On PCE versions upgraded from prior releases, this setting must be manually turned off for users to have reads restricted by scope. If this setting is se On, users with scoped roles will get global visibility by default.
Manage Global Owners
Facet Searches for Scoped Roles
The Scopes page now features a search bar with auto-complete and facets. This is restricted to users with a Global Organization Owner role. To use this feature, navigate to Access Management > Scopes. The search bar allows Organization Owners to query a list of users by a user's role. They can search by labels and label groups to get a list of users with the selected label(s) in their assigned scope(s), or for users with no labels assigned. They can also select Principals to search for a specific user.
Ruleset Viewer
Ruleset Viewer is a new scope-based read-only role. When assigned, a user get read-only visibility into the assigned application scope. As a Ruleset Viewer, you can view all the Rulesets and Rules within the assigned scope. However, you cannot edit any of the rules or create new rules. You can use Policy Generator to preview the policies that will be generated. However, you are not allowed to save policy after previewing it using Policy Generator.
A Ruleset Viewer is allowed to view everything that a Ruleset Manager with the same scope is allowed to view. This includes traffic flows, labeled objects, application groups, global objects, and so on. The only difference between a Ruleset Manager and a Ruleset Viewer is the absence of write privileges for a Ruleset Viewer. A Ruleset Manager is allowed to create and update policy within the application scope.
Scoped Roles and Permissions
The following table provides a summary of the different permissions provided with each of the scoped roles.
(R) = Restricted based on scope
(T) = Restricted based on resource type
--- = Not applicable
Page | Ruleset Viewer (Scoped Read-Only) | Ruleset Manager | Ruleset Provisioner | Workload Manager | Application Owner (Combined Permissions) |
|---|---|---|---|---|---|
Traffic - Illumination, App Group, Explorer | |||||
Illumination Location Map | --- | --- | --- | --- | --- |
App Group Policy Map | Read (R) | Read (R) | Read (R) | --- | Read (R) |
App Group Vulnerability Map | Read (R) | Read (R) | Read (R) | --- | Read (R) |
App Group List | Read (R) | Read (R) | Read (R) | Read (R) | |
Explorer | Read (R) | Read (R) | Read (R) | --- | Read (R) |
Blocked Traffic | Read (R) | Read (R) | Read (R) | --- | Read (R) |
Policy | |||||
Policy Generator | Read (R) | Read+Write (R) | Read (R) | --- | Read+Write (R) |
Rulesets and Rules | Read (R) | Read+Write (R) | Read (R) | --- | Read+Write (R) |
Rule Search | Read (R) | Read (R) | Read (R) | --- | Read (R) |
Policy Check | Read (R) | Read (R) | Read (R) | --- | Read (R) |
Provisioning Draft Changes | Read (R) | Read (R) | Read+Write (R) | --- | Read+Write (R) |
Policy Versions | Read (R) | Read (R) | Read (R) | --- | Read (R) |
Provisioning Status | Read (R) | Read (R) | Read (R) | --- | Read (R) |
Labeled Objects | |||||
Workloads | Read (R) | Read (R) | Read (R) | Read+Write (R) | Read+Write (R) |
Container Workloads | Read (R) | Read (R) | Read (R) | Read (R) | Read (R) |
Virtual Enforcement Nodes | Read (R) | Read (R) | Read (R) | Read+Write (R) | Read+Write (R) |
Pairing Profiles | --- | --- | --- | Read+Write (R) | Read+Write (R) |
Virtual Services | Read (R) | Read (R) | Read (R) | Read (R) | Read (R) |
Virtual Servers | Read | Read | Read | Read | Read |
Global Policy Objects | |||||
Services | Read | Read | Read | Read | Read |
IP Lists | Read | Read | Read | Read | Read |
User Groups | Read | Read | Read | Read | Read |
Labels | Read | Read | Read | Read | Read |
Label Groups | Read | Read | Read | Read | Read |
Settings | |||||
Segmentation Templates | --- | --- | --- | --- | --- |
Role-Based Access Global Roles | --- | --- | --- | --- | --- |
Role-Based Access Scoped Roles | --- | --- | --- | --- | --- |
Role-Based Access Users and Groups | --- | --- | --- | --- | --- |
Role-Based Access User Activity | --- | --- | --- | --- | --- |
Load Balancers | --- | --- | --- | --- | --- |
Container Clusters | --- | --- | --- | --- | --- |
Bi-directional Routing Networks | --- | --- | --- | --- | --- |
Event Settings | --- | --- | --- | --- | --- |
Setting Security | --- | --- | --- | --- | --- |
Setting Single Sign-On | --- | --- | --- | --- | --- |
Setting Password Policy | --- | --- | --- | --- | --- |
Setting Offline Timers | --- | --- | --- | --- | --- |
VEN Library | --- | --- | --- | Read | Read |
My Profile | Read+Write | Read+Write | Read+Write | Read+Write | Read+Write |
My API Keys | Read+Write | Read+Write | Read+Write | Read+Write | Read+Write |
Other | |||||
Support Reports | --- | --- | --- | Read+Write (R) | Read+Write (R) |
Events | --- | --- | --- | --- | --- |
Reports | Read (R, T) | Read (R, T) | Read (R, T) | Read (R, T) | Read (R) |
Support | Read | Read | Read | Read | Read |
PCE Health | --- | --- | --- | --- | --- |
Product Version | Read | Read | Read | Read | Read |
Help | Read | Read | Read | Read | Read |
Terms | Read | Read | Read | Read | Read |
Privacy | Read | Read | Read | Read | Read |
Patents | Read | Read | Read | Read | Read |
About Illumio | Read | Read | Read | Read | Read |
Scoped Users and PCE
Each scoped role has different permissions that impact an application owner's visibility into various aspects of the PCE. Application owners can be assigned scoped roles that come with different permissions.
Navigation Menus
The PCE navigation menu options vary based on the user's role. The navigation menu options available for Application Owner are limited. For example, a user is logged in as a Global Organization Owner has more (complete) menu options displayed than when a user logs in as a scoped user (Application Owner).
The following table provides the menu options available for different scoped users.
Y = Yes (menu option is displayed for the user)
N/A = Not applicable (menu option is hidden from the user)
Page | Ruleset Viewer | Ruleset Manager | Ruleset Provisioner | Workload Manager |
|---|---|---|---|---|
Illumination Map | N/A | N/A | N/A | N/A |
Role-based Access | N/A | N/A | N/A | N/A |
Policy Objects > Segmentation Templates | N/A | N/A | N/A | N/A |
Policy Objects > Pairing Profiles | N/A | N/A | N/A | Y |
Infrastructure | N/A | N/A | N/A | N/A |
Troubleshooting > Events | N/A | N/A | N/A | N/A |
Troubleshooting > Support Reports | N/A | N/A | N/A | Y |
Settings | N/A | N/A | N/A | See row below |
Settings > VEN Library | N/A | N/A | N/A | Y |
PCE Health | N/A | N/A | N/A | N/A |
App Groups > Map | Y | Y | Y | N/A (App Group Members are visible) |
App Groups > List | Y | Y | Y | Y |
App Groups > Vulnerability Map | Y | Y | Y | N/A |
Explorer | Y | Y | Y | N/A |
Policy Generator | Y | Y | Y | N/A |
Rulesets and Rules | Y | Y | Y | N/A |
Rule Search | Y | Y | Y | N/A |
Workload Management > Workloads | Y | Y | Y | Y |
Workload Management > Container Workloads | Y | Y | Y | Y |
Workload Management > Virtual Enforcement Nodes (Agents) | Y | Y | Y | Y |
Provision > Draft Changes | Y | Y | Y | N/A |
Provision > Policy Versions | Y | Y | Y | N/A |
Policy Objects > IP Lists | Y | Y | Y | Y |
Policy Objects > Services | Y | Y | Y | Y |
Policy Objects > Labels | Y | Y | Y | Y |
Policy Objects > User Groups | Y | Y | Y | Y |
Policy Objects > Label Groups | Y | Y | Y | Y |
Policy Objects > Virtual Services | Y | Y | Y | Y |
Policy Objects > Virtual Servers | Y | Y | Y | Y |
Troubleshooting > Blocked Traffic | Y | Y | Y | N/A |
Troubleshooting > Export Reports | Y | Y | Y | Y |
Troubleshooting > Policy Check | Y | Y | Y | N/A |
Troubleshooting > Product Version | Y | Y | Y | Y |
Support | Y | Y | Y | Y |
My Profile | Y | Y | Y | Y |
My Roles | Y | Y | Y | Y |
My API Keys | Y | Y | Y | Y |
Help | Y | Y | Y | Y |
Terms | Y | Y | Y | Y |
Patents | Y | Y | Y | Y |
Privacy | Y | Y | Y | Y |
About Illumio | Y | Y | Y | Y |
Landing Page
The PCE landing page changes dynamically based on the user's role. The Illumination page opens when you log in to your account as an Organization Owner. However, when you log in as a Scoped user, the landing page changes to the App Groups List page where you can see the list of App Groups assigned.
Labeled Objects
The scope of the user filters labeled objects, such as workloads. On the Workloads page, you will only see the list of the workloads within the application scope. You cannot see any workloads that are outside the application scope. This applies to any labeled object, such as workloads, containers, Virtual Services, and Virtual Enforcement Nodes (VENs).
The menu functions and buttons change dynamically to reflect a user's permissions. If logged in as a Ruleset Manager, you cannot manage workloads. So, all the workload-specific operations buttons are disabled. However, you can view the list of workloads within the scope and get details for individual workloads, except for Virtual Servers.
Note
While Virtual Servers are considered labeled objects, they are visible to all scoped users regardless of object scope.
Facet Searches and Auto-complete
The search bar with auto-complete and facets is scoped for labeled objects and Rulesets. For example, if you search for Application Labels, you can only select the Application Labels under the assigned scope. This applies to other label types such as Environment labels and Location labels. However, Role labels are excluded since Role labels are not part of the user scope. The restriction of visibility by scope applies to facets such as hostname, IP address, etc. The search bar automatically filters the facets to the list of facets in the user's assigned scope.
Global Objects
Scoped users get complete read-only visibility into all global objects. This includes IP Lists, services, labels, label groups, and user groups. However, scoped users cannot create, modify, or provision global objects.
Note
Only the Global Organization Owner and Global Administrator can create, modify, and provision global objects.
Rulesets and Rules
Scoped users, except Workload Managers, can see rulesets and rules that apply to their applications. A Ruleset Manager can edit the ruleset, whereas the other scoped roles (Ruleset Viewer and Ruleset Provisioner) can view rulesets. A scoped user can see all the rules within the application ruleset.
When label groups are used within the scope of a ruleset, a Ruleset Manager may not be allowed to edit the ruleset and its rules even if there is a scope match between the user's assigned scope and the underlying scope of the ruleset. The user will, however, be able to view the rules within such a ruleset.
In addition, scoped users can also see rules that apply to their applications. For example, scoped users can view rules written by other applications that apply to their application. To see those rules, click Rule Search from the navigation menu.
On the Rule Search page, a scoped user can see all the rules that apply to their application. This includes rules for incoming and outgoing traffic flows. The rules highlighted in the screenshot below are the outbound rules which are for your application. The application owner provides visibility to all the rules that are applied to your application.
Policy Generator and Explorer
With Policy Generator, scoped users can generate policies only for their applications. Only Ruleset Managers can generate policies with Policy Generator. Ruleset Viewers can preview Policy Generator without the ability to save the policy.
Explorer views are also filtered for scoped users. To use Explorer, one of the endpoints has to be within the scoped user's application. The same applies to Blocked Traffic.
My Roles
"My Roles" is a new feature that allows you to view the list of assigned permissions (roles).
App Group Map
The App Group Map provides visibility into applications and their contents. All scoped users except for Workload Managers can view App Group Maps.
Scoped users get limited visibility for connected App Groups such as Source App Groups and Destination App Groups. Scoped users get limited information on endpoints with traffic flows to their application. For an endpoint in a connected App Group from traffic flow, scoped users can get limited information such as labels, role names, and host names.
