Controlling access to objects with OBAC
IBM Cloud Pak for Network Automation now supports object-based access control (OBAC). This feature supplements the existing access control methods, which are role-based access control (RBAC) and multitenancy. By using OBAC, you can control access efficiently to objects such as assembly instances, assembly descriptors, deployment locations, infrastructure keys, and secret groups.
You can use the Object groups API or the network automation UI to assign your objects to object groups. Objects can belong to only one group. You control what objects a user can access and what permissions the user has for those objects by using user groups.
For example, you can create an object group of network package and deployment location objects. You can assign user groups with different permissions to that object group as follows:
- A user group that has permissions that specify that the users can update the network packages, but only view the deployment locations that are associated with that object group.
- Another user group that allows the users to update both the network packages and deployment locations that are associated with the object group.
Use the following screen in the UI to create and update object groups:
Automatic installation of logging stack
IBM Cloud Pak for Network Automation now includes a built-in logging stack for the aggregation of application log data. The open source tools, OpenSearch and Fluentd, are installed and enabled automatically when you install the Cloud Pak.
OpenSearch and Fluentd are used together to provide a scalable and efficient log management and search infrastructure. Fluentd is used to gather application log data, which is then stored and indexed in OpenSearch.
You can customize the OpenSearch settings that are used for the Cloud Pak installation, such as the index name, the number of index shards, and the number of index replicas.
Viewing communication between resource drivers and underlying systems
New UI pages and APIs are added to allow you to view the messages that are exchanged between resource drivers and the underlying systems that complete intent tasks.
This information might be helpful, for example, when you deploy a new underlying system, or troubleshoot issues with intent tasks that fail or take too long.
Installing an active-active configuration on AWS for high availability
To ensure that the Cloud Pak is highly available, you can now install IBM Cloud Pak for Network Automation in an active-active configuration on self-managed clusters on Amazon Web Services (AWS). You can install on three or more clusters in this configuration. Each cluster can process workloads concurrently. Load-balancing services spread the workload across the clusters.