cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
604
Views
0
Helpful
2
Replies

ACI explicit RBAC rules for exposing access policies

laurent.dewilde
Level 1
Level 1

I'd like to expose a subset of access policies such as VLAN pools, physical domains, AAEPs, leaf interface policy groups etc... to users linked to a security domain.

Therefore, a security domain has been created linked to a tenant and to a physical domain.
Next to this, I created explicit RBAC rules allowing access to certain access policies configuration. See picture below:

RBAC_fail_2.png

 However, when logging in with that user coupled with this particular domain, the "fabric" tab in the GUI is not accessible. Hence, I can't navigate to the access policies:

RBAC_fail.png

Any ideas on how to overcome this?

ACI 5.2.7f is used.

Thanks a lot!

Laurent

 

2 Replies 2

RedNectar
VIP
VIP

Hi @laurent.dewilde ,

I've been pretty busy this past week and had hoped that someone would have replied by now.

Unfortunately, what you want is not possible in ACI. In my humble opinion, the scenario you describe is a bug. The only way I've found to get around the problem is to:

  1. Create an Explicit Rule for uni/infra which allows writes- I don't think you'll need all those shown in your screendump
    RedNectar_0-1700383541732.png

     

  2.  Next, create Node Rules for each leaf you want the user to be able to configure, linking it to the relevant Security Domain
    RedNectar_1-1700383975027.png

     

  3. Finally, give the user Read privileges to the access-admin role in the special security domain all (unfortunately, this has a undesirable side effect which I'll discuss later).  I'll assume that you have already given the user write privileges to the admin role for the security domain you are working with (in your example above, the laurent securty domain, in mine the T18_SecDom
    RedNectar_2-1700384137814.png

     

With that done, you should be able to log in using that user account and creat/assign policies and profiles WITH A COUPLE OF EXCEPTIONS

The exceptions are that the user will not be able to create Domains (or Tenants - but I imagine that is not a problem). The reason for that is because Phys and L3 Domains are child objects of uni in the MIT.  If you changed step 1 above to a RBAC rule giving write access to uni, then the user WOULD BE ABLE TO create phy and L3 domains. AND EDIT EVERY OBJECT FOR EVERY TENANT and I suspect that is exactly what you are trying to avoid!!!!

The drawback:

Since you have given read access to a privilege in the all security domain, the user will be able to SEE everything - including all the other tenant and their configurations. What a bummer!

In short - Cisco really screwed up up the whole RBAC for ACI. 

RedNectar_3-1700385371556.png

BTW - there is another option you can play with. You can make a Security Domain a Restricted Domain - but in my opinion it is too restrictive, and you still have to jump through the hoops I mentioned above to make it work.

 

 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

laurent.dewilde
Level 1
Level 1

Thanks RedNectar,

I tested the recommendations you've made and by allowing the domain "all" with the "access-admin" role, the user has read-only access over the entire ACI fabric, which is not the intention.

Then, I created a custom role with only the "access-equipment" privilege and assigned this to the "all" domain.

This limits view access to the fabric somewhat. However, now for example the VLAN pools are not accessible anymore

I tested both with the "uni/infra" MO as well as with more specific MOs.

RBAC_3.png

Then, I added the "access-connectivity" privilege to the role, and then the VLAN pools are visible, along with nearly the entire ACI fabric config. => also not optimal.

In the end, we can conclude that making available selective items of the ACI fabric to certain users who are member of a domain using explicit RBAC rules is not possible in ACI, although it is mentioned in the ACI security configuration guide.

Must indeed be a bug.

Regards,

Laurent.

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License