The Policy Manager uses security roles that control user permissions. A user must be assigned to at least one of these roles in order to connect to the and perform administrative tasks in the Policy Manager. The Policy Manager has a number of factory-defined roles, plus you can create your own custom roles to tailor permissions specifically. In addition, performing certain tasks automatically create accompanying security roles. These auto-created roles are the "Manage [name]..." and "View [name]..." roles in .
The Policy Manager uses security roles that control user permissions. A user must be assigned to at least one of these roles in order to connect to the
API Gatewayand perform administrative tasks in the Policy Manager. The Policy Manager has a number of factory-defined roles, plus you can create your own custom roles to tailor permissions specifically. In addition, performing certain tasks automatically create accompanying security roles. These auto-created roles are the "Manage
[name]..." and "View
[name]..." roles in Predefined Roles and Permissions.
The auto-creation of these roles can be turned off by using the
rbac.autoRole.manage<name>.autoAssigncluster properties, where
"<name>"is "Policy", "Provider", or "Service".
(1) Performing certain tasks may automatically create accompanying security roles. (2) Some entities cannot be edited, even with the 'Administrator' role. These are entities installed by LDAP Identity Provider can be assigned to roles.
A user added to a role automatically inherits all the permissions defined for that role. If a user is added to multiple roles, the user receives permissions from
allthe roles. For example, user Bob is a member of the
Operatorsrole. He can view (but not update) anything in the system. Sue is a member of the
Publish Web Servicesroles. She can view anything in the system and also publish web services.
Users may be added to roles either directly or indirectly when a group to which a user belongs is added to a role.
Role-based permissions provide a fast and flexible way to control user operations and maintain the integrity of your data.
For a description of all the predefined roles in Policy Manager, see Predefined Roles and Permissions.
If a user has the same username and password in both the internal identity provider and in a LDAP identity provider, the Policy Manager will use the roles associated with the internal identity provider first. If multiple users share a login ID, they are differentiated by their passwords.
If a user is denied permission to perform a task and you are certain that permission has been granted, check whether the number of group memberships for that user exceeds the
To manage roles:
- In the Policy Manager, select[Tasks] > Users and Authentication > Manage Rolesfrom the Main Menu (on the browser client, from theManagemenu).The following table describes the various elements in the Manage Roles dialog:ElementDescriptionRoles tableDisplays all the roles in the system. "System" indicates roles that are factory-predefined and auto-created roles. "Custom" indicates roles created by end users.Create buttonClick this to create a new custom role. For more information, see Create a Custom Role.Edit buttonClick this to modify an existing custom role. For more information, see Edit a Custom Role.Remove buttonClick this to delete a custom role. For more information, see Delete a Custom Role.Filter on nameThis filters the roles list to display only those roles containing the filter text. Delete the filter text to restore the full list of roles.Assignments tabLists the users and/or groups that have been assigned to the role. Use this tab to add or remove users and group from the role. For more information, see Remove a User or Group from a Role.Properties tabDisplays information about the role (Name, Type, Description). It also provides detailed information about the permissions granted by that role. For more information, see Understand Role Permissions.Use the split bar to adjust the spacing allocated to the Roles list vs. the Assignment/Properties tabs.
- Click [Close] when done.