Home

Role-Based Access Control (RBAC)

Unravel supports three roles.

  • Admin – has complete access to UI with read/write permissions.

  • Read-only admin – has complete access to the UI but cannot write.

  • End-user - has access to the UI but not the Manage page, e.g., can't see AutoActions.

RBAC roles

RBAC lets admins restrict the pages a specific end-user can view and how those pages are populated. Application tagging is intertwined with RBAC. While it is possible to use RBAC without defining application tags, its usefulness is limited. See What is tagging? if you are not familiar with the concept of tagging and how to generate tags for Unravel to use.

The end-user's access is restricted based upon three factors
  1. Tags for the end-user

    You can create tags for

    End-users are then associated with the tags via LDAP or SAML.

    When RBAC is turned on, an end-user's view is filtered based upon their tags. For instance, if a user only has the defined tag dept:marketing they can only see applications tagged with dept:marketing.

  2. Unravel default tag

    The default tag is used to filter the end-user's view. It is set to Username by default.

  3. Mode

    The following options are available for mode:

    extended a user can access the following:

    restricted a user can only access Jobs > All Applications

What the end-user sees when RBAC is turned on

The available pages based on the user restriction mode, applications based on tags, which are filtered by users.

Note

If the default command is not set and an end-user has no tags, the viewable pages are populated (blank).

Run the following steps to configure RBAC:

  1. Stop Unravel

    <Unravel installation directory>/unravel/manager stop
    
  2. From the installation directory, run the following commands to set the RBAC configurations.

    <Unravel installation directory>/unravel/manager config rbac default <user|userName>
    <Unravel installation directory>/unravel/manager config rbac mode <extended|restricted>
    <Unravel installation directory>/unravel/manager config rbac script </path/to/rbac/python/script*>
    <Unravel installation directory>/unravel/manager config rbac default tag <key> <regex>
    <Unravel installation directory>/unravel/manager config rbac default tag <key> <regex>
    

    Note

    * Refer to Using a Python script for more details.

    Following are some more manage config rbac subcommands for reference:

    Subcommand

    Syntax

    Description

    disable

    manager config rbac disable

    Disable RBAC.

    show

    manager config rbac show tags

    Shows the list of tags.

    remove

    manager config rbac remove tag <key>

    Removes a manually added tag.

  3. Enable RBAC.

    <Unravel installation directory>/unravel/manager config rbac e
    
  4. Apply the changes.

    <Unravel installation directory>/unravel/manager config apply
    
  5. Start Unravel

    <Unravel installation directory>/unravel/manager start