Work Authorizations enables change management control wrappers to be placed around NSX objects. While ReSTNSX provides granular roles-based access control (RBAC) per object, work authorizations provides further granularity and approval processes.
Minimum Release: 3.2 Application: NSX-v, NSX T License: Enterprise Privilege level: Enterprise Admin (setup)
By setting up work authorizations, administrators can define a multi-step process for users to request a NSX change, an approval chain for that request and an optional 3rd tier to specify who can implement the job once approved.
The following is a typical scenario that is supported by ReSTNSX Work Authorizations.
Organization XYZ wishes to restrict who can change an IP Set with an approval process before the change is carried out. In this scenario, an Enterprise Administrator would enable work authorizations per group for editing IP Sets and define the approval and implementation chain. In this example, any user in this group would be bound to the following process before any IP Set changes could be made –
In this example, a user named approver will receive an approval request via email and at login notifying them that they have a pending job to approve or deny. Additionally, this authorization does not allow (by default) the requester to implement the job. This particular example defined user2 as the only user – other than the Enterprise Admin – who can execute the job.
Upon approval or denial, the requestor, approver and implementor receive notification of the job decision. If the job is approved, user2 can now login to run the queued job by simple pressing the play button on their dashboard.
Once the job has been executed, all associated parties are notified; job data is sent to the system log and the job is archived.
The work authorizations architecture enables strict controls with verbose logging of user activity on and off box. Every request, decision and implementation is logged in a centralized dashboard and updated real-time. While the dashboard is available to all system users, any given user will only see jobs that they are associated with – either in the requesting, approval or implementation stage.
To access the dashboard, choose Workflow Authorizations from the left side menu.
- Define which user group(s) and object actions require authorization (requesters)
- Define approvers and implementers
The remaining chapters cover details for setting up workflow authorizations.