Versions Compared

Old Version 10

changes.mady.by.user Christopher Gatlin

Saved on

compared with

New Version 11

changes.mady.by.user Christopher Gatlin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Purpose

Demonstrate opFlowSP Role Based Access Control (RBAC) feature.

Feature Description

Service providers may want to allow customers to view flow statistics related to their interfaces, yet prevent them from viewing other customer interfaces.  This feature facilitates this functionality.

Order of Operation

  • Create a role (GUI)
  • Create a user and assign a role (GUI)
  • Create an object with a privilege tag (CLI)
  • Associate the privilege tag with a role (CLI)

Configuration

Create a Role

From the opFlowSP main page, top menu bar, select System -> Portal Roles.  This should render the following page.

...

Click the blue '+' button to add a role.  At a minimum enter a name and click 'Add'.

Create a User

From the opFlowSP top menu bar, select System -> Portal Users. This should render the following page.

...

  • Add a username
  • From the Role drop down menu, choose a previously provisioned Role.
  • Enter a password

Create an Object with a Privilege Tag

This is accomplished via the CLI.  An object in this case is a specific interface on a network device. 

Code Block
root@spflow:~# /usr/local/omk/bin/oprbac_admin.exe act=create-object path=root,opflowsp,agent,10.10.1.1,interface,3 read_privileges=CustomerA_read
created new object

Syntax

/usr/local/omk/bin/oprbac_admin.exe act=create-object path=root,opflowsp,agent,<IP Address>,interface,<SNMP IF Number> read_privileges=<Privilege Tag>

  • IP Address:  The IP address that the network device uses to source flow data.
  • SNMP IF Number:  This is the SNMP index number of the interface in question.
  • Privilege Tag:  This tag user defined and will be assigned to a role.

Associate a Privilege Tag with a Role

This step is also accomplished via the CLI.

Code Block
root@spflow:~# /usr/local/omk/bin/oprbac_admin.exe act=update-role name=CustomerA privileges=CustomerA_read
updated role.

Syntax

/usr/local/omk/bin/oprbac_admin.exe act=update-role name=<Role Name> privileges=<Privilege Tag>

  • Role Name:  The role that user is assigned to.
  • Privilege Tag: The privilege tag that is associated with the previously defined interface object that the user is allowed to view.

Verification

Log in as the newly configured user and verify only the allowed interfaces are available.

...