RBAC - Role Based Access Control (tomcat-users.xml)
AdminConsole authorization model is based on role-based access control. Roles and Policies will be defined for each service and that will determine the access privilege a user or a group of users would have in the system. RBAC is made of four elements:
-
Roles: Bring Users, Groups, and Policies together. Roles define what users can do with a resource.
-
Users: Principal that is requesting access to a resource.
-
Policies: List of rules that defines access to a resource.
-
Resources: Things you want to grant access to.
Role Definition for AdminConsole
The roles defined for AdminConsole will be per service rather than per resource. Roles by service means that each service will define roles required to access that particular service. For instance, a Policy Service will define roles that will be used by Segments and Roles within that policy. The roles are not defined by resources or entities. Since segments and policy roles can not be accessed outside the context of a policy.
| Role Name | Role Description | Role Privilege | Role Association |
| AC_CYCLE | Cycle Read Access | GET | Cycle |
| AC_ADMIN | Admin Console Administrator | Permit All | All Services |
Adding Roles
Add the required roles by using the <role> tag in tomcat-users.xml file.
Example: <role rolename="AC_ADMIN" />
All the roles which are required need to be added using the above syntax.
Adding Users and Roles Association
Users and the Roles association can be using the <Users> tag in the same file.
Example: <user password="qatester3" roles="AC_ADMIN" username="qatester3"/>
A single user can be associated with multiple roles as given below:
Example: <user password="qatester3" roles="AC_ADMIN, AC_CYCLE" username="qatester3"/>
