The TCA Orchestrator offers a well-defined inventory model to ensure that TCA system administrators can easily assign permissions to CNF users based on RBAC.

To implement robust object-level access control, the TCA Orchestrator offers a well-defined inventory model to ensure that TCA system administrators can easily assign permissions to CNF users based on RBAC. The TCA system RBAC is based on the design principle of assigning roles and privileges at the highest object level and using advanced filters to assign or group object permissions to child objects in the inventory.

TCA creates a set of system default roles out of the box. Custom roles can be built on top of permissions exposed by default system roles and can only be created by a TCA Admin. In addition, any role can have multiple filters associated with rules. Filters can be defined based on CNF vendor, object tags, and so on. The TCA framework evaluates all the filters across all rules as a boolean AND of all filter results.

Design Decision

Design Justification

Design Implication

Use TCA custom roles to create personas that align with operational processes.

  • Custom roles are built based on permissions exposed by default system roles.

  • TCA admins can use custom roles to add or remove permissions required by a different persona.

  • Maintaining custom roles can be operationally expensive if requirements are not defined properly.

  • Adopt a custom role after the operational requirements are solidified.

Use TCA custom permissions to create advanced filter rules for the VIM, catalog, and inventory access control.

Custom permissions ensure that objects created by one group of users are not accessible by a different group of users of the same role.

  • Maintaining custom permissions can be operationally expensive if organizational alignments are not well defined.

  • TCA admins must ensure that the right permissions are assigned to the right group of users.