Administrative roles in Airlock Gateway

With the release of Airlock Gateway 8.3, we have cleaned up our administrative role matrix based on customer feedback.

Customizing administration roles for Airlock Gateway is no longer possible for Airlock Gateway 8.3 and later.

The role airlock-supervisor has been removed. Use the role airlock-administrator instead.

Role descriptions and use cases

Role name

Description

airlock-administrator

  • Unlimited role with full access to the Airlock Gateway Configuration Center.

airlock-config-editor

  • Restricted role allows editing of the entire configuration, including saving, loading, exporting, and importing configurations.
  • Access to the license is not given.
  • It is not possible to activate configurations.

This role can be used for strict 4-eyes principle configuration workflows, where the airlock-config-editor makes initial configurational changes. Users with the role ​airlock-config-applier can then review and activate the changes.

airlock-config-applier

  • Restricted role that allows loading and activating already existing, saved configurations.

This role can be used for strict 4-eyes principle configuration workflows, where the airlock-config-editor makes initial configurational changes. Users with the role ​airlock-config-applier can then review and activate the changes.

airlock-app-operator

  • Restricted role that allows customization in maintenance work on back-end applications.
  • The role allows the maintenance page to be switched on/off and to adjust back-end host modes, spare flags, and weight.
  • Changes are only possible in the current (active) configuration.
  • Loading, saving, importing, or exporting is not allowed.

The role is intended for users who need to be able to turn maintenance pages on or off in the event of maintenance work on back-end applications or switch between redundant back-end hosts.

airlock-app-admin

  • Restricted role that allows configuration changes at the mapping level, including editing the connections of mappings to virtual hosts and back-end groups.
  • Configuration export and import are allowed for mappings only.

The role is intended for users responsible for integrating and maintaining application mappings when entry points (virtual hosts) and back-end groups are already defined.

airlock-cert-admin

  • Restricted role to manage and activate certificates in the current (active) configuration.

This role is for managing certificates for Airlock Gateway and applications. This includes server certificates, client certificates, and their use, as well as local JWKS providers and the use of JWKS providers.

airlock-auditor

  • Restricted role that allows viewing, loading, import, and export configurations (except private key material).

The role is for auditors who are supposed to audit/review Airlock Gateway configurations, including the possibility to compare different configurations with each other.

airlock-readonly

  • Read-only role that allows access to the current (active) configuration, including logs, reports, and current sessions (Session Viewer).

The role is intended for read-only access for log evaluation and reporting.

airlock-readonly-restricted

  • Restricted role with limited read-only access to the current configuration.
  • Access to sensitive information is prohibited.

The role is intended for read-only access in cases where access to logs and other sensitive information should not be possible.

Actions

Action

airlock-administrator

airlock-config-editor

airlock-config-applier

airlock-app-operator

airlock-app-admin

airlock-cert-admin

airlock-auditor

airlock-readonly

airlock-readonly-restricted

Log in to the Configuration Center

x

x

x

x

x

x

x

x

x

Change own password

x

x

x

x

x

x

x

x

x

Activate configuration

x

x

x

x

x

Revalidate configuration

x

x

x

x

x

x

Load configuration

x

x

x

x

Save configuration

x

x

x

Export configuration

x

x

x (w/o private keys)

Import configuration

x

x

x

Export mapping

x

x

x

x

Import mapping

x

x

x

System Admin actions1

x

Upload update

x

Session Viewer list

x

x

x

x

x

x

x

Session Viewer details

x

Terminate session

x

Policy Learning

x

x

x

View logs

x

x

x

x

x

x

x

View reports

x

x

x

x

x

x

x

Dashboard → Proxy Statistics

x

x

x

x

x

x

x

Configuration summary

x

x

x

x

x

x

x

x

Manage add-on modules

x

1

Set time/date, shutdown/reboot, take offline, API key actions

Configuration management

Configuration item

airlock-administrator

airlock-config-editor

airlock-config-applier

airlock-app-operator

airlock-app-admin

airlock-cert-admin

airlock-auditor

airlock-readonly

airlock-readonly-restricted

License

RW

R

R

R

Nodes, Interface, Routes, Hosts

RW

RW

R

R

R

R

R

R

R

Network Services

RW

RW

R

R

R

R

R

R

R

Threat Intelligence

RW

R

R

R

R

R

R

R

IP Address Lists

RW

RW

R

R

R

R

R

R

Reverse Proxy (connections)

RW

RW

R

R

RW

R

R

R

R

Virtual Hosts

RW

RW

R

RW5

R

RW2

R

R

R

Mappings

RW

RW

R

RW5

RW

RW4

R

R

R

Back-end Groups

RW

RW

R

RW6

R

RW3

R

R

R

Anomaly Shield

RW

RW

R

R

R

R

R

R

R

Geolocation Filter

RW

RW

R

R

R

R

R

R

R

Certificates

RW

RW

R

R8

R8

RW1

R8

R8

JWKS Providers

RW

RW

R

R8

R8

RW7

R8

R8

Session Settings

RW

RW

R

R

R

R

R

R

R

Default Actions

RW

RW

R

R

R

R

R

R

R

Deny Rules

RW

RW

R

R

R

R

R

R

R

API Security

RW

RW

R

R

R

R

R

R

R

Dynamic IP Blacklist

RW

RW

R

R

R

R

R

R

R

Error Pages

RW

RW

R

R

R

R

R

R

R

Display Error Pages

RW

RW

R

R

R

R

R

R

R

Expert Settings

RW

RW

R

R

R

R

R

R

1

No write access to ACME Services.

2

Write access allows assigning certificates to virtual hosts or switching to ACME service (incl. e-mail), writing the HTTPS flag, the HTTPS port to VHosts, and the redirect flag HTTP → HTTPS.

3

Write access allows the assignment of client certificates to back-end groups.

4

Write access allows for setting, removing and changing JWKS providers.

5

Write access allows enabling and deactivating maintenance pages.

6

Write access allows editing back-end host modes, spare flags, and weight.

7

Write access on JWKS local providers only (no write access to JWKS remote providers).

8

No viewing access to details of certificates (client and server) and local JWKS.