Administrative roles

With the release of Airlock Gateway 8.3, we have cleaned up our administrative role matrix based on customer feedback.

Functional limitation

Customizing administration roles for Airlock Gateway is no longer possible for Airlock Gateway 8.3 and later.

Notice

The role airlock-supervisor has been removed. Use the role airlock-administrator instead.

Role descriptions and use cases

Role name	Description
`airlock-administrator`	Unlimited role with full access to the Airlock Gateway Configuration Center.
`airlock-config-editor`	Restricted role allows editing of the entire configuration, including saving, loading, exporting, and importing configurations. Access to the license is not given. It is not possible to activate configurations. This role can be used for strict 4-eyes principle configuration workflows, where the `airlock-config-editor` makes initial configurational changes. Users with the role `airlock-config-applier` can then review and activate the changes.
`airlock-config-applier`	Restricted role that allows loading and activating already existing, saved configurations. This role can be used for strict 4-eyes principle configuration workflows, where the `airlock-config-editor` makes initial configurational changes. Users with the role `airlock-config-applier` can then review and activate the changes.
`airlock-app-operator`	Restricted role that allows customization in maintenance work on back-end applications. The role allows the maintenance page to be switched `on/off` and to adjust back-end host modes, spare flags, and weight. Changes are only possible in the current (active) configuration. Loading, saving, importing, or exporting is not allowed. The role is intended for users who need to be able to turn maintenance pages on or off in the event of maintenance work on back-end applications or switch between redundant back-end hosts.
`airlock-app-admin`	Restricted role that allows configuration changes at the mapping level, including editing the connections of mappings to virtual hosts and back-end groups. Configuration export and import are allowed for mappings only. The role is intended for users responsible for integrating and maintaining application mappings when entry points (virtual hosts) and back-end groups are already defined.
`airlock-cert-admin`	Restricted role to manage and activate certificates in the current (active) configuration. This role is for managing certificates for Airlock Gateway and applications. This includes server certificates, client certificates, and their use, as well as local JWKS providers and the use of JWKS providers.
`airlock-auditor`	Restricted role that allows viewing, loading, import, and export configurations (except private key material). The role is for auditors who are supposed to audit/review Airlock Gateway configurations, including the possibility to compare different configurations with each other.
`airlock-readonly`	Read-only role that allows access to the current (active) configuration, including logs, reports, and current sessions (Session Viewer). The role is intended for read-only access for log evaluation and reporting.
`airlock-readonly-restricted`	Restricted role with limited read-only access to the current configuration. Access to sensitive information is prohibited. The role is intended for read-only access in cases where access to logs and other sensitive information should not be possible.

Actions

Action	airlock-administrator	airlock-config-editor	airlock-config-applier	airlock-app-operator	airlock-app-admin	airlock-cert-admin	airlock-auditor	airlock-readonly	airlock-readonly-restricted
Log in to the Configuration Center	x	x	x	x	x	x	x	x	x
Change own password	x	x	x	x	x	x	x	x	x
Activate configuration	x		x	x	x	x
Revalidate configuration	x	x	x	x	x	x
Load configuration	x	x	x				x
Save configuration	x	x			x
Export configuration	x	x					x (w/o private keys)
Import configuration	x	x					x
Export mapping	x	x			x		x
Import mapping	x	x			x
System Admin actions¹	x
Upload update	x
Session Viewer list	x	x	x	x	x	x		x
Session Viewer details	x
Terminate session	x
Policy Learning	x	x			x
View logs	x	x	x	x	x	x		x
View reports	x	x	x	x	x	x		x
Dashboard → Proxy Statistics	x	x	x	x	x	x		x
Configuration summary	x	x	x	x	x	x	x	x
Manage add-on modules	x

1: Set time/date, shutdown/reboot, take offline, API key actions

Configuration management

Configuration item	airlock-administrator	airlock-config-editor	airlock-config-applier	airlock-app-operator	airlock-app-admin	airlock-cert-admin	airlock-auditor	airlock-readonly	airlock-readonly-restricted
License	RW	R	R				R
Nodes, Interface, Routes, Hosts	RW	RW	R	R	R	R	R	R	R
Network Services	RW	RW	R	R	R	R	R	R	R
Threat Intelligence	RW	R	R	R	R	R	R	R
IP Address Lists	RW	RW	R	R	R	R	R	R
Reverse Proxy (connections)	RW	RW	R	R	RW	R	R	R	R
Virtual Hosts	RW	RW	R	RW⁵	R	RW²	R	R	R
Mappings	RW	RW	R	RW⁵	RW	RW⁴	R	R	R
Back-end Groups	RW	RW	R	RW⁶	R	RW³	R	R	R
Anomaly Shield	RW	RW	R	R	R	R	R	R	R
Geolocation Filter	RW	RW	R	R	R	R	R	R	R
Certificates	RW	RW	R	R⁸	R⁸	RW¹	R⁸	R⁸
JWKS Providers	RW	RW	R	R⁸	R⁸	RW⁷	R⁸	R⁸
Session Settings	RW	RW	R	R	R	R	R	R	R
Default Actions	RW	RW	R	R	R	R	R	R	R
Deny Rules	RW	RW	R	R	R	R	R	R	R
API Security	RW	RW	R	R	R	R	R	R	R
Dynamic IP Blacklist	RW	RW	R	R	R	R	R	R	R
Error Pages	RW	RW	R	R	R	R	R	R	R
Display Error Pages	RW	RW	R	R	R	R	R	R	R
Expert Settings	RW	RW	R	R	R	R	R	R

1: No write access to ACME Services.
2: Write access allows assigning certificates to virtual hosts or switching to ACME service (incl. e-mail), writing the HTTPS flag, the HTTPS port to VHosts, and the redirect flag HTTP → HTTPS.
3: Write access allows the assignment of client certificates to back-end groups.
4: Write access allows for setting, removing and changing JWKS providers.
5: Write access allows enabling and deactivating maintenance pages.
6: Write access allows editing back-end host modes, spare flags, and weight.
7: Write access on JWKS local providers only (no write access to JWKS remote providers).
8: No viewing access to details of certificates (client and server) and local JWKS.