Skip to main content

Illumio REST APIs 25.4

App Owner RBAC Role

The App Owner RBAC (Role-Based Access Control) role hides information in the PCE that is not relevant to the user with that role. At the same time, the app owners can write effective rules to secure their apps and restrict visibility within the PCE to the permitted scopes for users.

RBAC previously restricted users' write permissions, while read permissions were unrestricted, and every user had visibility into PCE. The App Owner RBAC role also restricts read permissions to correspond to the user roles. This accelerates enterprise-wide expansion, allowing customers who acquired Illumio for a single application to expand more quickly.

The introduction of the App Owner role solves these problems because it does the following:

  • Accelerates micro-segmentation deployment by allowing for scaling after an organization implements micro-segmentation with smaller applications.

  • Ensures compliance with good security practices so that users cannot view the sensitive information they are not allowed to see.

  • It eliminates the complexity of building a custom portal. App Owners can use Illumio REST APIs instead of the custom UIs created by customers.

App Owners are responsible for managing vulnerabilities in their applications, and PCE owners can assign scoped roles for these.

App Owner Roles

Users and user groups are assigned the roles of Ruleset Managers, Ruleset Provisioners, and Workload Managers. These roles can be expanded to give users additional read/write permissions. All permissions are additive.

Ruleset Manager with Scoped Reads

This RBAC role has write permission, allowing its owner to modify the policy. Users with this role can view only the content related to their location in the PCE rather than having full read-only access to the entire PCE content as before.

The role now also supports scoped reads.

Ruleset Provisioner with Scoped Reads

This RBAC role can provision policy changes to workloads. Users with this role can view only the content related to their location in the PCE, rather than having full read-only access to the entire PCE content.

The role now also supports scoped reads.

Ruleset Viewer

This RBAC role has access to the PCE to manage one or more applications. Users with this role can view their application and its dependencies, but they cannot view information about other applications.

Workload Manager with Scoped Reads

This RBAC role provides control for managing workloads. Users with this role can view only the content related to their scope in the PCE, rather than having full read-only access to the entire PCE content.

The role now also supports scoped reads.