SD-WAN

 View Only

Changing TACACS to support Orchestrator RBAC

This thread has been viewed 19 times
  • 1.  Changing TACACS to support Orchestrator RBAC

    Posted Apr 17, 2023 01:09 PM
    Edited by Jamie E Apr 18, 2023 01:20 PM

    Recently had a customer that wanted to limit access to Orchestrator menus for various groups within the organization. Some user groups should have read-write access to menus, others read-only.  They already were using TACACS on ClearPass, so we only needed to modify the config for the RBAC settings on both sides.

    **the biggest gotcha is that you need to change "role" to rbac-roles** on the TACACS side (ClearPass or other), but I thought it would be worth reviewing in more depth here.

    On Orchestrator, there are already built-in roles for use

    Default_roles

    On the ClearPass side, we need to add an attribute for "rbac-roles" for the correct Profiles and specify the RBAC level to provide. Note – it is 15 (Privileged) for Read/Write in this scenario, default is to use 7 for ReadOnly

    CPPM_Config


    Once that is done, logout of Orchestrator for a user and login via TACACS. This should give you the correct RBAC role now

    With Read-Only, you'll see the message at the bottom of the screen when attempting to make a change. A user will be able to stage the change in a lot of cases, but "Apply" will cause the alarm to display. 

    Read_Only_Alarm

    One last note, Appliance Access Groups or "aag" is also supported as part of RBAC to limit which appliances a user can see. In TACACS, use "rbac-aag" to specify the group.