Oracle® Fusion Middleware
Part 8. Manage user access

Role-Based Access Control (RBAC) enables you to restrict system access to authorized users based on their assigned roles. Using the RBAC model, permissions to perform specific system operations are assigned to specific roles, and system users are granted permission to perform specific operations only through their assigned roles. This simplifies system administration because users do not need to be assigned permissions directly, and instead acquire them through their assigned roles.

The API Gateway uses the RBAC permissions model to ensure that only users with the assigned role can access parts of the management services exposed by the Admin Node Manager. For example, this includes access to traffic monitoring data or making a configuration change by deploying to a group of API Gateways. The following diagram shows an overview of the RBAC model in the API Gateway:

	Note
	This topic applies to both API Gateway and API Gateway Analytics.

API Gateway Manager

The web-based API Gateway Manager tool (https://localhost:8090) is a centralized dashboard for managing and monitoring the API Gateway, and is controlled by RBAC. Users connecting to this URL with different roles results in different features being displayed.

For example, users with the API Server Administrator role has read/write access in the API Gateway Manager tool. However, users in the API Server Operator have only read access in the API Gateway Manager tool.

For more details on the tools and privileges assigned to specific user roles, see the topic on Manage Admin users.

Protected management services

The Admin Node Manager exposes a number of REST management services, which are all protected by RBAC. For example, the exposed services and the associated tools that use them include the following:

RBAC user roles

User access to management services is determined by their role(s). Each role has a defined set of management services that it can access. A Management Service is defined by the URI used to access it, for example:

For full details on the default roles that have access to each Management Service, see the section called “Management service roles and permissions”.

By default, all the user credentials are stored in a local admin user store in the following file:

INSTALL_DIR/conf/adminUsers.json

INSTALL_DIR is the directory where the API Gateway is installed as Admin Node Manager.

The following shows an example file:

{
  "productVersion" : "11.1.2.4.0",
  "version" : 1,
  "timestamp" : 0,
  "adminUsers" : [ {
    "id" : "user-1",
    "name" : "admin",
    "roles" : [ "role-1", "role-6", "role-7" ]
  } ],
  "credentials" : {
    "user-1" : "$ygvfNZsiLEcQJGMe8vqmqw==$2jcZcvFctadAISBuvhJqt9NfUtk7zeoOHo8cFMySjvw="
  },
  "adminUserRoles" : [ {
    "id" : "role-1",
    "name" : "API Server Administrator"
  }, {
    "id" : "role-2",
    "name" : "API Server Operator"
  }, {
    "id" : "role-5",
    "name" : "Deployer"
  }, {
    "id" : "role-6",
    "name" : "KPS Administrator"
  }, {
    "id" : "role-7",
    "name" : "Policy Developer"
  } ],
  "uniqueIdCounters" : {
    "Role" : 8,
    "User" : 2
  },
  "adminUsersVersion" : {
    "version" : 1,
    "timestamp" : 0
  }
}

The credentials from this file are used to authenticate and perform RBAC on all accesses to the management services. This store holds the user credentials, so their passwords can be verified, and also holds their roles. Credentials and associated roles can also be retrieved from an LDAP Directory Server (for example, Microsoft Active Directory or OpenLDAP).

$<salt-value>==$<password-digest>=

$d5pSA0kJ24USYWb19b3fyw==$+NuXNIEVIZInirQmD8HI9XinrqbPcmG0G6wgNY/8CH0=

$rLZ8yVIDVwN/NMcuxp5B+Q==$zJBpjQH0zGHhr2uR05YTOk+hMxK1w1xyzk4J1IR95Qs=
$myCJnKEHRB5DMyyfaDA+Kw==$YKqMxFagu9kpqBP/Uug4UcwCEJgRG2nFm2RrJQnwOBc=
$hazgC9Kf/93zS0V2VvOx6Q==$5LEpsXQNSph/ZVbSpJ5UwJUo0JU9nKPSWpii+6pzxI4=

The Access Control List file (acl.json) is located in the conf directory of your API Gateway installation. This file lists each role and the management services that each role may access. By default, this file defines the following roles:

The default admin user is assigned the API Server Administrator, KPS Administrator, and Policy Developer roles by default, which together allow access to everything. For full details on the management services that each role has access to, and the permissions that must be listed in the acl.json file to have access to them, see the table in the section called “Management service roles and permissions”.

Important

The roles defined in the acl.json file should exist in the user store used to authenticate the users and load their roles and/or groups. The default roles are defined in the local Admin User store, which is used to control access to the management services using the Protect Management Interfaces policy. If a different user store is used (for example, an LDAP repository), the LDAP groups should be listed in the acl.json and adminUsers.json files .

Access Control List file format

Each role entry in the acl.json file has the following format:

"role-name" : [ <list_of_permission_names> ]

The permissions consist of operations that are defined by HTTP methods and URIs:

“permission-name” : { <list_of_operation_names> }
“operation-name” : {
	"methods" : [ <list of HTTP Methods> ],
	"paths" : [ <list of path-names> ]
}

“path-name” : {
	"path" : <URI>
}

This file entry format is described as follows:

Example Access Control List file

The following example shows roles and permissions to URIs:

"paths" : {
	"root" : { "path" : "/" },
	"emc pages" : { "path" : "/emc/*" },
	"site images" : { "path" : "/images/*" },
	"dojo resources" : { "path" : "/dojo/*" },
	....
	}

},

"operations" : {
	"emc_read_web" : {
	"methods" : [ "GET" ],
	"paths" : [ "emc pages", "dojo resources" ]
	},
	
	"common_read_web" : {
	"methods" : [ "GET" ],
	"paths" : [ "root", "site images" ]
	},
	....
},

"permissions" : {
	"emc" : [ "common_read_web", "emc_read_web" ],
	"config" : [ "configuration" ],
	"deploy" : [ "deployment", "management" ],
	...
},

“roles” : {
	"Policy Developer" : [ "deploy", "config"]
	...
}

You can use the API Gateway Manager to configure the users and roles in the local Admin User store. Click the Settings > Admin Users to view and modify user roles (assuming you have a role that allows this). This screen is displayed as follows:

Manage RBAC user roles

When you click Create to create a new user, you can select the roles to assign to the that new user. New users are not assigned a default role. While users that are replicated from an LDAP repository do not require a role to be assigned to them. You can click Edit to changed the roles assigned to a selected user.

Add a new role to the user store

When you add a new role to the Admin User store, you must modify the available roles in the adminUsers.json and acl.json files in the conf directory of your Admin Node Manager installation. You must add the new role to the roles section of the acl.json file, which lists all the permissions that the new role may have.

Important

You must update the acl.json before you add the roles to the Admin User store. The RBAC policy object automatically reloads the acl.json file each time you add or remove a role in the Policy Studio. When you update the acl.json file, you must restart the Admin Node Manager to reload the acl.json file. However, the Admin Node Manager does not need to be rebooted or refreshed if a user’s roles change.

For more details on managing user roles, see the topic on Manage Admin users.

You can use the following table for reference purposes when making changes to the acl.json file. It defines each Management Service, and the default roles that have access to them. It also lists the permissions that must be listed in the acl.json file to have access to the Management Service.