Question

Prism Central RBAC assignments

  • 24 September 2020
  • 7 replies
  • 450 views

Badge

Hello All,

I have recently deployed Prism Central and I am trying to give team members access via their AD accounts. I have went through the roles and discovered I cannot add new members to the predefined roles; however, if I duplicate the roles I can add AD users and groups to the new roles. This works for me however when I duplicate a role such as the “Super Admin” role I am warned that not all permissions are going to apply to the new role and I would need to create the new role via CLI to get these permissions. Ok fine that makes some sense. But where is the documentation on how to do that? Can someone point me to the documentation to perform these role creation tasks via CLI?

 

Thanks,

Scott

 


7 replies

Userlevel 1
Badge +3

I would recommend checking documentation and search for relevant config

 https://portal.nutanix.com/page/documents/details?targetId=Nutanix-Security-Guide-v5_18:ssp-ssp-role-based-access-control-pc-c.html

Userlevel 5
Badge +5

Hi skeeter,

If you have trouble with editing an existing role mapping that does not sound right and would need to be looked at by Nutanix Support.

What the message suggests is to use API. You can either play with APIs directly from PC Web Console (click on user name in the top right corner and choose API explorer) or go to Nutanix Dev portal.

I will search for any examples of completing this task with API. For now I’d suggest posting in API space of the community.

Badge

Ok since I am getting a little confused here I add some more detail. So I have just installed Prism Central and I am trying to add AD users to the roles built into Prism Central. When I click on the super Admin role this is what I see:

As you can see I cannot add anyone to it but I can duplicate the role. When I duplicated the role I got the message that Alona posted above. So am I not supposed to duplicate roles? Should I be able to add users to the roles that already exist? Once I duplicated the role I can add my AD accounts to the duplicated role but of course they don’t have the same permissions. I have no issues posting this in the API space if this is by design.

 

Thanks,

Scott

Userlevel 5
Badge +5

I think what you’re want to do is called Role Mapping.

A role is a list of permissions. You then map that role to a user or a group. That is called Role Mapping. This is done to allow you to reuse roles with multiple users and group.

Configuring Role Mapping

If you want to assign certain users Superadmin permissions you need to associate the Superadmin role with the user via Role Mapping.

Let me know if that makes sense or if you new that but I misunderstood you.

Badge

This is not quite what I want to do Alona. If I go under role mapping (As shown in you screen shot above) I can only provide Viewer,User Admin, Cluster Admin. I want to use the more granular roles that are provided in Prism Central. However, as you can see in my screen shot I cannot do any role mapping with the default roles provided in Prism Central.

I have to create new roles. However, when I duplicate the role “Super admin” I get the message you posted above (Copied 82 of 96 permissions from role….). So I just need a API reference page to show me how to create the roles with the API. 

 

With the above image you can see that I can map my AD users and groups to a new role I have created. However the new role is not the same as the default super admin role because of the missing 14 permissions. 

Userlevel 5
Badge +5

My apologies for the delay. Thank you for providing the details. I was able to reproduce the issue. Just making sure that I am not missing anything. Will get back to you.

Userlevel 5
Badge +5

Are you able to log a Nutanix Support request?  I believe this is a bug and an Engineering case will have more attention when it is directly associated with a customer case. Let me know if you log a support case, please, and I will grab the case number from you.

Reply