11.2. Role-Based Access Control in the GUI and CLI
When Role-Based Access Control(RBAC) is enabled, some users will not be able to run some operations, read from some resources or even be able to see parts of the management model at all, according to the roles assigned to them.
- The Management Console
- In the management console some controls and views are disabled (greyed out) or not visible at all depending on the permissions of your assigned role.If you do not have read permissions to a resource attribute, that attribute will appear blank in the console. For example, most roles cannot read the username and password fields for datasources.If you do not have write permissions to a resource attribute, that attribute will be disabled (greyed-out) in the edit form for the resource. If you do not have write permissions to the resource at all, then the edit button for the resource will not appear.If you do not have permissions to access a resource or attribute at all (it is "unaddressable" for your role) then it does not appear in the console at all for you. An example of that is the access control system itself which is only visible to a few roles by default.
- The Management API
- Users that use the
jboss-cli.shtool or use the API directly will encounter slightly different behaviour in the API when RBAC is enabled.Resources and attributes that cannot be read are filtered from results. If the filtered items are addressable by the role, their names are listed as
response-headerssection of the result. If a resource or attribute is not addressable by the role, it is not listed at all.Attempting to access a resource that is not addressable will result in a "resource not found" error.If a user attempts to write or read a resource that they can address but lack the appropriate write or read permissions, a "Permission Denied" error is returned.