Role-Based Access Control (RBAC) is a security method that grants users access to resources based on their roles within an organisation, rather than individual permissions. This approach streamlines access management, simplifies administration, and enhances security by limiting access to only what's needed for a specific role.

IBM Cloud Pak for AIOps (AIOps) provides an RBAC capability to control which pages, alerts, topology resources, and attributes that users can access. This blog goes through the steps to enable and configure RBAC for productive use, highlighting any tips along the way.

AIOps comes out-of-the-box with a number of preset roles that include associated permissions. The underlying permissions are ultimately what give a logged-in user the ability to access a page. So, permissions are associated to roles, then roles can be assigned to individual users and/or groups.

More information on the various roles and permissions AIOps comes with can be found in the product documentation.

The other RBAC capabilities control which alerts, resources, or attributes of either, a can be accessed by users or groups. Before this feature can be used, you must enable Group Profiles in your deployed AIOps instance. Once enabled, AIOps will automatically provision additional menu items and capabilities that support these features. For a new deployment of AIOps, this can be enabled as part of the deployment configuration. If you have an existing AIOps deployment where group profiles is not enabled however, you can enable it by modifying the AIOps installation.

To enable RBAC in your existing AIOps deployment, open a command prompt on your workstation and authenticate to your AIOps cluster using one of the following two ways.

• Log in to your OpenShift cluster as kubeadmin or a user with administrative permissions
• Click on your username in the top-right corner of your browser window: menu: "Copy login command"
• Copy the command under: "Log in with this token" - for example:

oc login --token=sha256~fFi87AG5UmX1nPgvLG_QmZNRcWQGTZL1234567890 --server=https://api.aiops-4.cp.fyre.ibm.com:6443

• Paste the above command into your command line terminal to authenticate with your OpenShift cluster

If you are running the Linux-based AIOps, all you need to do is SSH to the primary control plane node and source the environment variable file:

$ ssh root@aiops-linux-control-1.fyre.ibm.com
...
[root@aiops-linux-control-1 ~]# . ./aiops_var.sh
[root@aiops-linux-control-1 ~]# 

ENABLE GROUP PROFILES

To enable group profiles, or event to check if they're enabled on your current system, do the following:

• Retrieve the name of your AIOps installation
• Modify the installation specification
• Enable group profiles, save, and exit

Example:

zane:~$ oc get installations
NAME    PHASE     LICENSE    STORAGECLASS                STORAGECLASSLARGEBLOCK        AGE
aiops   Running   Accepted   ocs-storagecluster-cephfs   ocs-storagecluster-ceph-rbd   439d
zane:~$ oc edit installation aiops

The following is the first 22 lines of the AIOps installation configuration file. The key attribute is the last line from the excerpt below: spec.groupProfiles.enabled which needs to be set to true.

# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: orchestrator.aiops.ibm.com/v1alpha1
kind: Installation
metadata:
  annotations:
    ibm-aiops-orchestrator.aiops.ibm.com/integrations-restore: NmUwMDBkMTktNmQ5OC00YThmLWI5N2YtNzJjZjE2OTU2NzJk
  creationTimestamp: "2024-02-02T12:05:05Z"
  finalizers:
  - ibm-aiops-orchestrator.aiops.ibm.com/finalizer
  generation: 6
  name: aiops
  namespace: aiops
  resourceVersion: "870719655"
  uid: 4e443e1b-7f7a-47b3-a284-b2a938d40693
spec:
  automationFoundation: {}
  enableConnectionModule: true
  groupProfiles:
    enabled: true
...

NOTE: Use vi commands to make the modifications, and to save and exit the configuration.

After making the update to the installation configuration, wait some minutes for the new feature components to be deployed. After the setup has completed, you will see a new menu item "Profiles" under the "Administration" menu in the AIOps UI, when logged in as an administrative user who has the Manage Profiles permission, such as cpadmin:

USING RBAC

Using RBAC requires that you understand the relationship between the relevant permission, the role to which that permission is assigned, the group that includes the role, the group that will be the target of the restrictions, and how the restrictions are then created and applied within the context of a group Profile.

RBAC for alerts and topology resources works as follows:

• An administrative user creates or identifies a pre-existing role that includes the Profiles → Manage Profiles permission
• An administrative user creates one or more groups that include this role - eg. "Managers"
• An administrative user creates one or more target groups that will be restricted in some way - eg. "Operators"
• An administrative user creates restriction filters from either the Resources management or Alert viewer pages and assigns them to the "Managers" group
• An administrative user or a member of the "Managers" group accesses the Administration → Profiles menu item
• An administrative user or a member of the "Managers" group creates any Redaction policies to redact alert or resource attributes
• An administrative user or a member of the "Managers" group creates one or more Profiles that can include restriction filters and/or redaction policies
• The Profile definition includes a listing of the targeted group(s) that it applies to

Once you understand how each of the RBAC elements are related, you will be able to create the necessary restrictions in the system and apply them to your user groups.

Further documentation on all of these concepts can be found in the AIOps product documentation: Managing user access control