Skip to main content

Getting Started with the Illumio Console

  • Getting Started with the Illumio Console
  • Scopes
  • Example Scoped Role Use Cases

Example Scoped Role Use Cases

Consider the following use cases for two of the scoped roles described in the Roles with Custom Scopes topic -- the Workload Manager and the Limited Ruleset Manager.

Workload Manager Role

The following use cases describe scenarios that are well-suited for the solution of the Workload Manager role.

  • Use Case 1

    You want to use scripts in your development environment to programmatically spin up and bring down workloads; your scripts create pairing profiles and generate pairing keys without you granting elevated Admin privileges to the scripts.

  • Use Case 2

    Your application teams are in charge of changing the security posture of workloads, such as changing the policy enforcement states. You want to allow your application teams to manage workload security without granting them broad privileges, such as All access (for the standard Application, Environment, and Location label types, or for any customer label types you have defined).

  • Use Case 3

    You want to prevent your users from accidentally changing workload labels by moving the workloads in Maps, Traffic, or other Console views.

Solution

Users with the Workload Manager role can create, update, and delete workloads and pairing profiles. This role is a scoped role; when you assign a user to a scope, they can only manage workloads within the allocated scope. The Workload Manager can pair, unpair, and suspend VENs and change the policy state. It is an additive role; you can assign the Workload Manager role to a user, and combine it with any other Illumio Console role to provide additional privileges for that user.

Users assigned the Workload Manager role can view applications that are outside their scopes but can only modify those applications that are within their scopes. A Workload Manager user cannot clear traffic counters from workloads within their scope.

To assign the Workload Manager role when first adding a new user:

  1. Access > Users > Add

  2. In Roles, select the Workload Manager role (and any other you want to assign).

To assign the Workload Manager role to an existing user:

  1. Access > Users

  2. Click the user name.

  3. Click Add Role.

  4. Choose Add Scoped Role.

  5. In Select Roles, choose Workload Manager from the list.

  6. (Optional) In Select Scope, specify a scope for this user's Workload Manager role.

Limited Ruleset Manager Role

A user has the role Limited Ruleset Manager role and access to the following scope:

All Applications | Production Environment | All Locations

The user can create and manage:

  • Any ruleset that matches the Production environment

  • Intra- or extra-scope rules that match this scope:

    All Applications | Production Environment | All Locations

    Where the destination and source of the rule are both within the Production environment scope.

For intra-scope rules, all workloads can communicate within their group (as defined by the scope), so the rule source is not restricted. However, in extra-scope rules, the Environment label of the resource selected as the source must match the label in the scope exactly.

The user cannot create a rule with the scope “All | All | All” because that scope is broader than the user's access, which is only for the Production environment.

Because the user is a member of the Limited Ruleset Manager role, the user cannot manage custom iptables rules and the following resources cannot be selected as consumers in extra-scope rules: IP lists Label groups, User groups, or Workloads.