From 7ffc5c08df31e37dee822fb02da5ec3ac219d3d6 Mon Sep 17 00:00:00 2001
From: Mike Jang <3287976+mjang@users.noreply.github.com>
Date: Fri, 28 Feb 2025 09:36:39 -0800
Subject: [PATCH 1/5] feature: Describe use of roles in N1C
---
content/includes/security/rbac-intro.md | 9 +++++++++
content/nginx-one/rbac/_index.md | 6 ++++++
content/nginx-one/rbac/overview.md | 16 ++++++++++++++++
content/nginx-one/rbac/roles.md | 17 +++++++++++++++++
content/nim/admin-guide/rbac/overview-rbac.md | 4 +---
5 files changed, 49 insertions(+), 3 deletions(-)
create mode 100644 content/includes/security/rbac-intro.md
create mode 100644 content/nginx-one/rbac/_index.md
create mode 100644 content/nginx-one/rbac/overview.md
create mode 100644 content/nginx-one/rbac/roles.md
diff --git a/content/includes/security/rbac-intro.md b/content/includes/security/rbac-intro.md
new file mode 100644
index 000000000..15dcfaf9c
--- /dev/null
+++ b/content/includes/security/rbac-intro.md
@@ -0,0 +1,9 @@
+---
+docs:
+files:
+ - content/nginx-one/rbac/overview.md
+ - content/nim/admin-guide/rbac/overview-rbac.md
+---
+Role-based access control (RBAC) is a security system that governs access to resources within a software application. By assigning specific roles to users or groups, RBAC ensures that only authorized individuals have the ability to perform certain actions or access particular areas.
+
+The value of RBAC lies in its ability to provide clear and structured control over what users can see and do. This makes it easier to maintain security, streamline user management, and ensure compliance with internal policies or regulations. By giving users only the permissions they need to fulfill their roles, RBAC reduces the risk of unauthorized access and fosters a more efficient and secure operating environment.
diff --git a/content/nginx-one/rbac/_index.md b/content/nginx-one/rbac/_index.md
new file mode 100644
index 000000000..a1f7050ff
--- /dev/null
+++ b/content/nginx-one/rbac/_index.md
@@ -0,0 +1,6 @@
+---
+title: Role-based access control
+description:
+weight: 300
+url: /nginx-one/rbac
+---
diff --git a/content/nginx-one/rbac/overview.md b/content/nginx-one/rbac/overview.md
new file mode 100644
index 000000000..fec75f2db
--- /dev/null
+++ b/content/nginx-one/rbac/overview.md
@@ -0,0 +1,16 @@
+---
+description:
+docs:
+doctypes:
+- reference
+tags:
+- docs
+title: "Overview: Role-based access control"
+toc: true
+weight: 400
+---
+
+{{< include "security/rbac-intro.md" >}}
+
+The NGINX One Console uses the **[F5 Distributed Cloud User Management](https://docs.cloud.f5.com/docs-v2/administration/how-tos/user-mgmt)** system for access controls and user permissions.
+General information can be found on the User Management documentation for **[F5 Distributed Cloud](https://docs.cloud.f5.com/docs-v2/administration/how-tos/user-mgmt)**. This document provides guidance and reference material for utilizing those features to grant and restrict access within the NGINX One Console.
diff --git a/content/nginx-one/rbac/roles.md b/content/nginx-one/rbac/roles.md
new file mode 100644
index 000000000..286e8ca8e
--- /dev/null
+++ b/content/nginx-one/rbac/roles.md
@@ -0,0 +1,17 @@
+
+## Default Roles
+
+We provide three default **[roles](https://docs.cloud.f5.com/docs-v2/administration/how-tos/user-mgmt/roles)** that can be used for providing various access levels to the NGINX One Console. These roles will be automatically updated as new features are added to the NGINX One Console. Default roles can be scoped to specific namespaces.
+
+### Admin
+
+The Admin role, identified as f5xc-nginx-one-admin, provides full read and write access to all endpoints and features within the NGINX One Console.
+
+### User
+
+Our standard User role, listed as f5xc-nginx-one-user in the role list, provides read and write access to all endpoints and features, save for those considered to be administrator level. An example of an administrator level feature would be **[Instance Settings](https://docs.nginx.com/nginx-one/how-to/nginx-configs/clean-up-unavailable-instances/)** where unavailable instance clean up logic is set.
+
+### Monitor
+
+Our read only or Monitor role, f5xc-nginx-one-monitor, grants read only access to all non-administrator features and endpoints within the NGINX One Console.
+
diff --git a/content/nim/admin-guide/rbac/overview-rbac.md b/content/nim/admin-guide/rbac/overview-rbac.md
index 7da6ddeb6..f3259a258 100644
--- a/content/nim/admin-guide/rbac/overview-rbac.md
+++ b/content/nim/admin-guide/rbac/overview-rbac.md
@@ -9,9 +9,7 @@ docs: DOCS-919
## Overview
-Role-Based Access Control (RBAC) is a security system that governs access to resources within a software application. By assigning specific roles to users or groups, RBAC ensures that only authorized individuals have the ability to perform certain actions or access particular areas.
-
-The value of RBAC lies in its ability to provide clear and structured control over what users can see and do. This makes it easier to maintain security, streamline user management, and ensure compliance with internal policies or regulations. By giving users only the permissions they need to fulfill their roles, RBAC reduces the risk of unauthorized access and fosters a more efficient and secure operating environment.
+{{< include "security/rbac-intro.md" >}}
The following are essential concepts related to RBAC:
From 416a516ebc4ad1604fc0f6f75da193db1411819b Mon Sep 17 00:00:00 2001
From: Mike Jang <3287976+mjang@users.noreply.github.com>
Date: Fri, 28 Feb 2025 10:35:02 -0800
Subject: [PATCH 2/5] Add default roles page
---
content/nginx-one/rbac/rbac-api.md | 48 ++++++++++++++++++++++++++++++
content/nginx-one/rbac/roles.md | 11 +++++++
2 files changed, 59 insertions(+)
create mode 100644 content/nginx-one/rbac/rbac-api.md
diff --git a/content/nginx-one/rbac/rbac-api.md b/content/nginx-one/rbac/rbac-api.md
new file mode 100644
index 000000000..9d3b90b65
--- /dev/null
+++ b/content/nginx-one/rbac/rbac-api.md
@@ -0,0 +1,48 @@
+---
+description:
+docs:
+doctypes:
+- reference
+tags:
+- docs
+title: "Overview: set up custom roles"
+toc: true
+weight: 500
+---
+
+Beyond [Default roles]({{< relref "/nginx-one/rbac/roles.md" >}}), you may need to set up custom roles. For convenience, we include a list of API groups that you could use to specify permissions for custom roles.
+
+These are not NGINX One APIs.
+
+## F5 API groups for NGINX One
+
+The following table lists the **[API Groups](https://docs.cloud.f5.com/docs-v2/administration/how-tos/user-mgmt/roles)** that you can use when you create an F5 XC role. These are narrowly scoped API Groups that align with all the features and functionality within the NGINX One Console. These groups can help you create custom roles tailored to your specific needs.
+
+{{< note >}}If you create custom roles using the more granular API Groups, as new features are added to the Console your users may not have access until you add the corresponding API Groups to their roles.{{< /note >}}
+
+| API Group Name | Level of Access | Description |
+|-----------------------------------------|-----------------|-------------------------------------------------------------------------------------------------------------------------------|
+| f5xc-nginx-one-application-monitor | Read | View all features and data. |
+| f5xc-nginx-one-application-settings | Write | View and update settings. |
+| f5xc-nginx-one-application-write | Write | View and edit all features except settings. |
+| f5xc-nginx-one-custom-all-instances-metric-read | Read | View metrics for all Instances. Required to see the Overview dashboard. |
+| f5xc-nginx-one-custom-instance-list | Read | View list of all Instances. Also view summarized information such as certificate status and CVEs. |
+| f5xc-nginx-one-custom-all-instances-manage | Write | View and delete all Instances. |
+| f5xc-nginx-one-custom-instance-manage | Write | View and edit Instance details. |
+| f5xc-nginx-one-custom-instance-read | Read | View Instance and configuration details. |
+| f5xc-nginx-one-custom-certificate-manage | Write | View TSL/SSL certificate details. Create, update, and delete any managed certificates. |
+| f5xc-nginx-one-custom-certificate-read | Read | View TLS/SSL certificates. |
+| f5xc-nginx-one-custom-all-certificates-manage | Write | View all TLS/SSL certificates. Delete managed certificates. |
+| f5xc-nginx-one-custom-data-plane-key-manage | Write | View, create, update, and delete any Data Plane Keys. Note: The actual Data Plane Key is shown _only_ when created. |
+| f5xc-nginx-one-custom-data-plane-key-read | Read | View Data Plane Key Details. Note: The actual Data Plane Key is shown _only_ when created. |
+| f5xc-nginx-one-custom-all-data-plane-keys-manage | Write | View and delete Data Plane Keys. |
+| f5xc-nginx-one-custom-cve-read | Read | View NGINX CVEs. |
+| f5xc-nginx-one-custom-config-sync-group-manage | Write | View, create, update, and delete Config Sync Groups. |
+| f5xc-nginx-one-custom-config-sync-group-read | Read | View Config Sync Groups with details. |
+| f5xc-nginx-one-custom-all-config-sync-groups-manage | Write | View and delete Config Sync Groups. |
+| f5xc-nginx-one-custom-settings-manage | Write | View and update NGINX One Console Settings. |
+| f5xc-nginx-one-custom-settings-read | Read | View NGINX One Console Settings. |
+| f5xc-nginx-one-custom-event-read | Read | View NGINX One Events. |
+| f5xc-nginx-one-custom-ai-assistant | Write | Interact with the NGINX One AI Assistant. |
+| f5xc-nginx-one-custom-staged-config-manage | Write | View, create, update, and delete Staged Configs. |
+| f5xc-nginx-one-custom-staged-config-read | Read | View Staged Configs. |
diff --git a/content/nginx-one/rbac/roles.md b/content/nginx-one/rbac/roles.md
index 286e8ca8e..c3449023a 100644
--- a/content/nginx-one/rbac/roles.md
+++ b/content/nginx-one/rbac/roles.md
@@ -1,3 +1,14 @@
+---
+description:
+docs:
+doctypes:
+- reference
+tags:
+- docs
+title: "Reference: default roles"
+toc: true
+weight: 500
+---
## Default Roles
From cf75f0df9ac5421587b7f86593ee2c2fe49a3a88 Mon Sep 17 00:00:00 2001
From: Mike Jang <3287976+mjang@users.noreply.github.com>
Date: Mon, 3 Mar 2025 11:40:23 -0800
Subject: [PATCH 3/5] More
---
content/nginx-one/rbac/rbac-api.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/nginx-one/rbac/rbac-api.md b/content/nginx-one/rbac/rbac-api.md
index 9d3b90b65..43b0b99a8 100644
--- a/content/nginx-one/rbac/rbac-api.md
+++ b/content/nginx-one/rbac/rbac-api.md
@@ -18,7 +18,7 @@ These are not NGINX One APIs.
The following table lists the **[API Groups](https://docs.cloud.f5.com/docs-v2/administration/how-tos/user-mgmt/roles)** that you can use when you create an F5 XC role. These are narrowly scoped API Groups that align with all the features and functionality within the NGINX One Console. These groups can help you create custom roles tailored to your specific needs.
-{{< note >}}If you create custom roles using the more granular API Groups, as new features are added to the Console your users may not have access until you add the corresponding API Groups to their roles.{{< /note >}}
+{{< note >}}If you create custom roles using the more granular API Groups, users may not have access until you add the corresponding API Groups to their roles.{{< /note >}}
| API Group Name | Level of Access | Description |
|-----------------------------------------|-----------------|-------------------------------------------------------------------------------------------------------------------------------|
From dd2b96b697b1b47ed9a8e32965dc11b1a7a44b2c Mon Sep 17 00:00:00 2001
From: Mike Jang <3287976+mjang@users.noreply.github.com>
Date: Mon, 3 Mar 2025 12:12:00 -0800
Subject: [PATCH 4/5] Update content/nginx-one/rbac/rbac-api.md
---
content/nginx-one/rbac/rbac-api.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/content/nginx-one/rbac/rbac-api.md b/content/nginx-one/rbac/rbac-api.md
index 43b0b99a8..b7c7d0a04 100644
--- a/content/nginx-one/rbac/rbac-api.md
+++ b/content/nginx-one/rbac/rbac-api.md
@@ -16,7 +16,7 @@ These are not NGINX One APIs.
## F5 API groups for NGINX One
-The following table lists the **[API Groups](https://docs.cloud.f5.com/docs-v2/administration/how-tos/user-mgmt/roles)** that you can use when you create an F5 XC role. These are narrowly scoped API Groups that align with all the features and functionality within the NGINX One Console. These groups can help you create custom roles tailored to your specific needs.
+The following table lists the **[F5 XC roles](https://docs.cloud.f5.com/docs-v2/administration/how-tos/user-mgmt/roles)** that you can use. These are narrowly scoped API Groups that align with all the features and functionality within the NGINX One Console. These groups can help you create custom roles tailored to your specific needs.
{{< note >}}If you create custom roles using the more granular API Groups, users may not have access until you add the corresponding API Groups to their roles.{{< /note >}}
From 40ed2645a4d72e3d6962b12ed1d7199421309945 Mon Sep 17 00:00:00 2001
From: Mike Jang <3287976+mjang@users.noreply.github.com>
Date: Tue, 4 Mar 2025 09:49:37 -0800
Subject: [PATCH 5/5] Apply suggestions from code review
Co-authored-by: Alan Dooley
---
content/includes/security/rbac-intro.md | 2 +-
content/nginx-one/rbac/overview.md | 13 +++++--------
content/nginx-one/rbac/rbac-api.md | 13 +++++--------
content/nginx-one/rbac/roles.md | 15 ++++++---------
4 files changed, 17 insertions(+), 26 deletions(-)
diff --git a/content/includes/security/rbac-intro.md b/content/includes/security/rbac-intro.md
index 15dcfaf9c..7122c1110 100644
--- a/content/includes/security/rbac-intro.md
+++ b/content/includes/security/rbac-intro.md
@@ -1,8 +1,8 @@
---
-docs:
files:
- content/nginx-one/rbac/overview.md
- content/nim/admin-guide/rbac/overview-rbac.md
+docs: DOCS-000
---
Role-based access control (RBAC) is a security system that governs access to resources within a software application. By assigning specific roles to users or groups, RBAC ensures that only authorized individuals have the ability to perform certain actions or access particular areas.
diff --git a/content/nginx-one/rbac/overview.md b/content/nginx-one/rbac/overview.md
index fec75f2db..ccab68d4b 100644
--- a/content/nginx-one/rbac/overview.md
+++ b/content/nginx-one/rbac/overview.md
@@ -1,13 +1,10 @@
---
-description:
-docs:
-doctypes:
-- reference
-tags:
-- docs
-title: "Overview: Role-based access control"
-toc: true
+title: "Role-based access control overview"
weight: 400
+toc: true
+type: reference
+product: NGINX One
+docs: DOCS-000
---
{{< include "security/rbac-intro.md" >}}
diff --git a/content/nginx-one/rbac/rbac-api.md b/content/nginx-one/rbac/rbac-api.md
index b7c7d0a04..a11f6d3c9 100644
--- a/content/nginx-one/rbac/rbac-api.md
+++ b/content/nginx-one/rbac/rbac-api.md
@@ -1,13 +1,10 @@
---
-description:
-docs:
-doctypes:
-- reference
-tags:
-- docs
-title: "Overview: set up custom roles"
-toc: true
+title: "Custom roles and API groups"
weight: 500
+toc: true
+type: reference
+product: NGINX One
+docs: DOCS-000
---
Beyond [Default roles]({{< relref "/nginx-one/rbac/roles.md" >}}), you may need to set up custom roles. For convenience, we include a list of API groups that you could use to specify permissions for custom roles.
diff --git a/content/nginx-one/rbac/roles.md b/content/nginx-one/rbac/roles.md
index c3449023a..760e98f42 100644
--- a/content/nginx-one/rbac/roles.md
+++ b/content/nginx-one/rbac/roles.md
@@ -1,16 +1,13 @@
---
-description:
-docs:
-doctypes:
-- reference
-tags:
-- docs
-title: "Reference: default roles"
-toc: true
+title: "Default roles"
weight: 500
+toc: true
+type: reference
+product: NGINX One
+docs: DOCS-000
---
-## Default Roles
+## Default roles
We provide three default **[roles](https://docs.cloud.f5.com/docs-v2/administration/how-tos/user-mgmt/roles)** that can be used for providing various access levels to the NGINX One Console. These roles will be automatically updated as new features are added to the NGINX One Console. Default roles can be scoped to specific namespaces.