Recently had a customer that wanted to limit access to Orchestrator menus for various groups within the organization. Some user groups should have read-write access to menus, others read-only. They already were using TACACS on ClearPass, so we only needed to modify the config for the RBAC settings on both sides.
**the biggest gotcha is that you need to change "role" to rbac-roles** on the TACACS side (ClearPass or other), but I thought it would be worth reviewing in more depth here.
On Orchestrator, there are already built-in roles for use
On the ClearPass side, we need to add an attribute for "rbac-roles" for the correct Profiles and specify the RBAC level to provide. Note – it is 15 (Privileged) for Read/Write in this scenario, default is to use 7 for ReadOnly
Once that is done, logout of Orchestrator for a user and login via TACACS. This should give you the correct RBAC role now
With Read-Only, you'll see the message at the bottom of the screen when attempting to make a change. A user will be able to stage the change in a lot of cases, but "Apply" will cause the alarm to display.
One last note, Appliance Access Groups or "aag" is also supported as part of RBAC to limit which appliances a user can see. In TACACS, use "rbac-aag" to specify the group.