Layer7 API Management

Expand all | Collapse all

What is the drawback of turning off the autocreation of Manage service/policy/folder roles

Jump to Best Answer
  • 1.  What is the drawback of turning off the autocreation of Manage service/policy/folder roles

    Posted 07-26-2017 05:21 PM

    I find role management a little convoluted in the API Gateway.  The list of roles is ridiculously long for a gateawy with many folders and services due to the auto-created "Manage" and "View"   roles. According to the documentation

     

    "Tip: The auto-creation of these roles can be turned off by using the rbac.autoRole.manage<name>.autoAssign cluster properties, where "<name>" is "Policy", "Provider", or "Service". "   I have the following questions:

     

    1. What is the negative consequences of turning this off?  I believe if I can explicity grant group/user access to certain folders then they will inherit the ability to manage the subfolders and polices/services therein? Correct?

     

    2. If I user this cluster property turn off this autocreation, will it have any effect on the already existing roles



  • 2.  Re: What is the drawback of turning off the autocreation of Manage service/policy/folder roles

    Posted 08-02-2017 04:46 PM

    Good afternoon,

     

    The feature to auto create roles has been apart of the product since the early days and was included to help with just adding user to existing roles. Also in the beginning we didn't have robust roles creation. We have fleshed out the manual role creation to be more configurable.

     

    In response to you questions:

     

    1) The only negative effect is that you will need to add roles for services if you need that level of granularity. We find that people will add the rights to existing roles, use roles with broader controls (Publish WebServices, etc),  or even use security zones ( Understanding Security Zones - CA API Gateway - 9.2 - CA Technologies Documentation). The positive side of disabling this feature is that it will keep you roles list smaller and more manageable.

    2) Turn off the functionality will not affect existing roles.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 3.  Re: What is the drawback of turning off the autocreation of Manage service/policy/folder roles

    Posted 08-03-2017 03:03 PM

    Thanks Stephen   Followup:   After I turn this off, Is there any way to get rid of the autocreated View and Manage roles cluttering up the list.  They are currently marked as "System" and of course the remove button is greyed. 



  • 4.  Re: What is the drawback of turning off the autocreation of Manage service/policy/folder roles

    Posted 08-03-2017 03:34 PM

    Paul,

     

    System roles are protected for obvious reasons so that they are not inadvertently removed. Definitely would be good to have the ability to switch the status of these with all the confirmations. If you feel it is worth it please feel free to log an idea.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 5.  Re: What is the drawback of turning off the autocreation of Manage service/policy/folder roles

    Posted 08-03-2017 04:06 PM

    Is this valid strategy to remove existing "view" and "manage" roles?

     

    0. Backup the gateway

    1. set CWPs to disable creation of "view" and "manage" roles

    2. Use GMU to migrateout by folder

    3. Delete the folder - (assume will delete the "view" "manage" roles)

    4. Use GMU to migratein by folder (assume no new roles will be created)



  • 6.  Re: What is the drawback of turning off the autocreation of Manage service/policy/folder roles
    Best Answer

    Posted 08-03-2017 06:56 PM
      |   view attached

    Caution: The information in this post has not been tested outside some very rudimentary tests on a local gateway so very experimental. Ensure that you backup your environment before using these instructions as CA Support will not support the usage of these instructions. Use at your own caution.

     

    Paul,

     

    I did a bit more digging and found that a column in the database will cause the role to switch between system and custom so it can be removed. The instructions that I used were as follows:

    1. mysqldump ssg --routines > <filename>.sql
    2. Create a new API service called "Role Removal" with URI of role
      Import policy attached to this case into the new service
      1. Modify the HTTP Routing assertion in the policy to use your username and password for an administrator account along with import the Gateway Certificate into the Manage Certificate interfaceCreate internal service Restman if not already created
    3. Create internal service Restman if not already created
    4. Run the following commands from the Gateway with the DB:

    mysql ssg -e 'update rbac_role set user_created="1" where name like "Manage%Service %" or name like "Manage%Folder %" or name like "View%Folder %"'
    mysql ssg -e 'update rbac_role set user_created="0" where name like "Manage Gateway REST Management Service Service%" or name like "Manage Role Removal Service%"'
    mysql ssg -e 'select name,user_created from rbac_role'


        5. wget https://<gateway hostname>:8443/role

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support

    Attachment(s)

    zip
    role_removal.xml.zip   1K 1 version