NSX Advanced Load Balancer provides RBAC to provide granular access to control, manage, and monitor applications within NSX Advanced Load Balancer.

RBAC can be implemented at a field-level. This section covers the use of sub-resources to implement RBAC per field.

Granular RBAC per-Field

Using Granular RBAC per Field, users can be allowed to update an object but restrict the updates to a specific set of fields.

For example, allow users to:

  • Enable or disable GSLB service groups, but restrict updating any other fields in the GSLB object

  • Enable or disable a virtual service, but restrict updating any other virtual service configuration

  • Add, remove, or update the pool servers, but restrict updating any other pool configuration

Sub-resources

To implement per-field RBAC, sub-resources for the existing resources are introduced. These sub-resources are associated with a specific field, feature, or a set of fields within the object. When a sub-resource is configured on a resource with write access, it will allow update to the object only if those sub-resources are the only fields updated. Read access is allowed for the full object, but delete and create are not allowed from that permission. Sub-resources can be combined to allow users to configure multiple fields or features in an object.

To define access for sub-resources, the flags allow edit to only [subresource(s)] and allow edit of entire object except for [subresource(s)] are introduced.

For example, configure a role with sub-resources as shown below.

[admin:10]: > configure role Pool-Enabled-Role
[admin:10]: role> privileges 
New object being created
[admin:10]: role:privileges> type write_access 
[admin:10]: role:privileges> resource permission_pool
[admin:10]: role:privileges> subresource 
[admin:10]: role:privileges:subresource> subresources subresource_pool_enabled 
[admin:10]: role:privileges:subresource> save
[admin:10]: role:privileges> save
[admin:10]: role> save

The pool is configured as shown below.

+--------------------------+-------------------------------------------+
| Field                    | Value                                     |
+--------------------------+-------------------------------------------+
| uuid                     | role-c5d28445-995c-44b8-9677-610bb20cb2e7 |
| name                     | Pool-Enabled-Role                         |
| privileges[1]            |                                           |
|   type                   | WRITE_ACCESS                              |
|   resource               | PERMISSION_POOL                           |
|   subresource            |                                           |
|     exclude_subresources | False                                     |
|     subresources[1]      | SUBRESOURCE_POOL_ENABLED                  |
| tenant_ref               | admin                                     |
+--------------------------+-------------------------------------------+

Sub-resources enable the user to execute a specific function within the object.

All available sub-resources are listed below.

Sub-resource

Function

SUBRESOURCE_POOL_ENABLED

Add/update/disable pool servers

SUBRESOURCE_POOL_SERVERS

Add/update/remove pool servers

SUBRESOURCE_POOL_SERVER_ENABLED

Enable/disable pool servers

SUBRESOURCE_VIRTUALSERVICE_ENABLED

Enable/disable virtual servers

SUBRESOURCE_GSLBSERVICE_ENABLED

Enable/disable GSLB service objects

SUBRESOURCE_GSLBSERVICE_GROUPS

Update GSLBservice groups

SUBRESOURCE_GSLBSERVICE_GROUPS_ENABLED

Enable/disable GSLBservice groups

SUBRESOURCE_GSLBSERVICE_GROUP_MEMBERS

Update GSLBservice group members

SUBRESOURCE_GSLBSERVICE_GROUP_MEMBER_ENABLED

Enable/disable GSLBservice group members

SUBRESOURCE_VIRTUALSERVICE_AUTO_ALLOCATE_FLOATING_IP

Enable/ disable Auto allocate floating IP
Note:

Prior to NSX Advanced Load Balancer version 22.1.1, it was only possible to control the update (PUT) action on any resource field. Starting with NSX Advanced Load Balancer version 22.1.1, if the access is not allowed for any field, creation of objects is not permitted as well.