CA API Gateway 9.1

9.4 9.1

Manage Roles

The Policy Manager uses security roles that control user permissions. A user must be assigned to at least one of these roles in order to connect to the  and perform administrative tasks in the Policy Manager. The Policy Manager has a number of factory-defined roles, plus you can create your own custom roles to tailor permissions specifically. In addition, performing certain tasks automatically create accompanying security roles. These auto-created roles are the "Manage [name]..." and "View [name]..." roles in .
gateway90
The Policy Manager uses security roles that control user permissions. A user must be assigned to at least one of these roles in order to connect to the 
API Gateway
 and perform administrative tasks in the Policy Manager. The Policy Manager has a number of factory-defined roles, plus you can create your own custom roles to tailor permissions specifically. In addition, performing certain tasks automatically create accompanying security roles. These auto-created roles are the "Manage 
[name]
..." and "View 
[name]
..." roles in Predefined Roles and Permissions.
The auto-creation of these roles can be turned off by using the 
rbac.autoRole.manage<name>.autoAssign
 cluster properties, where 
"<name>"
 is "Policy", "Provider", or "Service". 
(1) Performing certain tasks may automatically create accompanying security roles. (2) Some entities cannot be edited, even with the 'Administrator' role. These are entities installed by Solution Kits and were set as read-only by the Solution Kit author. (3) Only users in the Internal Identity Provider and LDAP Identity Provider can be assigned to roles.
A user added to a role automatically inherits all the permissions defined for that role. If a user is added to multiple roles, the user receives permissions from 
all
 the roles. For example, user Bob is a member of the 
Operators
 role. He can view (but not update) anything in the system. Sue is a member of the 
Operators
 and 
Publish Web Services
 roles. She can view anything in the system and also publish web services.
Users may be added to roles either directly or indirectly when a group to which a user belongs is added to a role. 
Role-based permissions provide a fast and flexible way to control user operations and maintain the integrity of your data. 
For a description of all the predefined roles in Policy Manager, see Predefined Roles and Permissions.
If a user has the same username and password in both the internal identity provider and in a LDAP identity provider, the Policy Manager will use the roles associated with the internal identity provider first. If multiple users share a login ID, they are differentiated by their passwords.
If a user is denied permission to perform a task and you are certain that permission has been granted, check whether the number of group memberships for that user exceeds the
principalSessionCache.maxPrincipalGroups
cluster property.
To manage roles:
  1. In the Policy Manager, select [
    Tasks
    ] > 
    Manage Roles
     from the Main Menu (on the browser client, from the 
    Manage
     menu).
    The following table describes the various elements in the Manage Roles dialog: 
    Element
    Description
    Roles table
    Displays all the roles in the system. "System" indicates roles that are factory-predefined and auto-created roles. "Custom" indicates roles created by end users.
    Create button
    Click this to create a new custom role. For more information, see Create a Custom Role.
    Edit button
    Click this to modify an existing custom role. For more information, see Edit a Custom Role.
    Remove button
    Click this to delete a custom role. For more information, see Delete a Custom Role.
    Filter on name
    This filters the roles list to display only those roles containing the filter text. Delete the filter text to restore the full list of roles.
    Assignments tab
    Lists the users and/or groups that have been assigned to the role. Use this tab to add or remove users and group from the role. For more information, see Add a User or Group to a Role and Remove a User or Group from a Role.
    Properties tab
    Displays information about the role (Name, Type, Description). It also provides detailed information about the permissions granted by that role. For more information, see Understand Role Permissions.
    The split bar may be used to adjust the spacing allocated to the Roles list vs. the Assignment/Properties tabs.
  2. Click [
    Close
    ] when done.

Content feedback and comments