I find role management a little convoluted in the API Gateway. The list of roles is ridiculously long for a gateawy with many folders and services due to the auto-created "Manage" and "View" roles. According to the documentation
"Tip: The auto-creation of these roles can be turned off by using the rbac.autoRole.manage<name>.autoAssign cluster properties, where "<name>" is "Policy", "Provider", or "Service". " I have the following questions:
1. What is the negative consequences of turning this off? I believe if I can explicity grant group/user access to certain folders then they will inherit the ability to manage the subfolders and polices/services therein? Correct?
2. If I user this cluster property turn off this autocreation, will it have any effect on the already existing roles
The feature to auto create roles has been apart of the product since the early days and was included to help with just adding user to existing roles. Also in the beginning we didn't have robust roles creation. We have fleshed out the manual role creation to be more configurable.
In response to you questions:
1) The only negative effect is that you will need to add roles for services if you need that level of granularity. We find that people will add the rights to existing roles, use roles with broader controls (Publish WebServices, etc), or even use security zones ( Understanding Security Zones - CA API Gateway - 9.2 - CA Technologies Documentation). The positive side of disabling this feature is that it will keep you roles list smaller and more manageable.
2) Turn off the functionality will not affect existing roles.
Director, CA Support
Thanks Stephen Followup: After I turn this off, Is there any way to get rid of the autocreated View and Manage roles cluttering up the list. They are currently marked as "System" and of course the remove button is greyed.
System roles are protected for obvious reasons so that they are not inadvertently removed. Definitely would be good to have the ability to switch the status of these with all the confirmations. If you feel it is worth it please feel free to log an idea.
Is this valid strategy to remove existing "view" and "manage" roles?
0. Backup the gateway
1. set CWPs to disable creation of "view" and "manage" roles
2. Use GMU to migrateout by folder
3. Delete the folder - (assume will delete the "view" "manage" roles)
4. Use GMU to migratein by folder (assume no new roles will be created)
Caution: The information in this post has not been tested outside some very rudimentary tests on a local gateway so very experimental. Ensure that you backup your environment before using these instructions as CA Support will not support the usage of these instructions. Use at your own caution.
I did a bit more digging and found that a column in the database will cause the role to switch between system and custom so it can be removed. The instructions that I used were as follows:
mysql ssg -e 'update rbac_role set user_created="1" where name like "Manage%Service %" or name like "Manage%Folder %" or name like "View%Folder %"'mysql ssg -e 'update rbac_role set user_created="0" where name like "Manage Gateway REST Management Service Service%" or name like "Manage Role Removal Service%"'mysql ssg -e 'select name,user_created from rbac_role'
5. wget https://<gateway hostname>:8443/role