Managing Role-Based Access Control

The Cloud Services Portal offers role-based access control, allowing you to manage user access according to roles and permissions. By defining access policies, you can limit service and resource related responsibilities to specific user roles and groups. For example, BloxOne Threat Defense administrator permissions (as defined in the TD Administrator Role) can be restricted to the BloxOne Threat Defense admin user group (ib-td-admin), while read-only access for viewing configurations and reports is permitted for the BloxOne Threat Defense user group (ib-td-user). Similarly, BloxOne DDI administrator permissions (as defined in the DDI Administrator Role) are limited to the BloxOne DDI admin user group (ib-ddi-admin), with read-only access granted to the BloxOne DDI user group (ib-ddi-user) solely for viewing configurations and reports.

To empower administrators to oversee and control a specific part of the overall environment within the organization, you can configure granular permissions by utilizing compartments within your BloxOne account. If your organization’s infrastructure requires divisional teams to manage their own sets of users and resources, you can create compartments and assign access policies to specific user groups. This enables users to access and manage their respective resources within these compartments. By utilizing compartments, your corporate admins retain control over the entire corporate infrastructure, while divisional admins and users can independently manage their designated resources without gaining excessive access to other areas. The compartment feature can therefore effectively limit visibility and control while granting autonomy to relevant users. For more information about compartments, see Configuring Compartments. Note that the compartment feature is available only for users participating in the Early Access Program (EAP). For information about the EAP, visit Infoblox Early Access Program.

This system of role-based access control is primarily focused on service and resource accessibility, granting explicit permissions for users or groups based on their responsibilities within your organization related to viewing, starting and stopping services, or configuring tasks and features.

The Cloud Service Portal provides several default user roles, user groups, and access policies as a quick-start configuration, so you can quickly assign new users to user group(s) for them to gain access to relevant services and tasks. All default user groups are predefined in quick-start access policies that grant access to specific services and authorize specific users to a set of permissions, so they can perform specific responsibilities based on their roles. For example, the predefined Access Control Administrators Policy applies the Access Control Administrators Role to the access control admin user group (ib-access-control-admin), which grants access to all users in the ib-access-control-admin group permissions to view and configure licenses, users, user groups, and access policies. The Cloud Services Portal offers a few other access policies based on your license entitlements. You can use these quick-start configurations to quickly onboard your new users by placing them in their respective user groups, so they can gain access to the services to perform corresponding tasks. For more information, see Configuring Access Policies.

To set up role-based access control, use the following workflow to complete the tasks:

1. Create new users and assign them to their respective user group(s) based on their respective roles and responsibilities within your organization. All users must belong to at least one user group. For more information, see Configuring Users.

2. Review the default user groups and create additional groups (if needed) based on your business requirements and user responsibilities. For more information, see Configuring User Groups.

3. Optionally, create compartments in your BloxOne account to address granular access control for divisional teams. For information, see Configuring Compartments. This feature is available only for users participating in the Early Access Program (EAP). For information about the EAP, visit Infoblox Early Access Program.

4. Review the default access policies and create additional access policies (if needed) by applying user roles to respective user groups. Note that an access policy grants all users in a user group a set of permissions defined in the user role, so the users can access the services and perform the tasks associated with the selected user role. For more information, see Configuring Access Policies. 

5. Create new user roles if the predefined one do not fit your organization needs. For more information, see Creating Roles.

Using role-based user access control, you can also define service account users and assign service API keys to them to facilitate API authentication. Service users are account users you use to communicate with the BloxOne API when performing specific tasks. For example, you can use a service API key to authenticate an API call to automate a process that generates reports on the Cloud Services Portal and sends the report to yourself via email. The service API key is the authentication token key that you use in your API request for authentication purposes. You can also create service users and service API keys for user management purposes. For example, you can create a service user called "SCIM delete user" and associate this user with a service API key to delete invalid users in a systematic manner and automate the cleanup process of invalid users. Invalid users can be those who have left your company or those who are not allowed to log in to your system for specific reasons. For information about service API keys, see Configuring Service API Keys.

To set up service users and service API keys, complete the following:

1. Create a service account user. For more information, see Configuring Users.

2. Create a service API key and assign it to a service user. For more information, see Configuring Service API Keys.