Administrative roles

 
Notice

Administrative roles are intended for access to the Configuration Center only.

To control the permissions for the REST API, use the command-line tool airlock-user-manager-tool with the arguments --readPaths or --writePaths to define which API endpoints are accessible for reading or writing.

Role descriptions and use cases

Role name

Description

airlock-administrator

  • Unlimited role with full access to the Airlock Gateway Configuration Center.

airlock-config-editor

  • Restricted role allows editing of the entire configuration, including saving, loading, exporting, and importing configurations.
  • Access to the license is not given.
  • It is not possible to activate configurations.

This role can be used for strict 4-eyes principle configuration workflows, where the airlock-config-editor makes initial configurational changes. Users with the role ​airlock-config-applier can then review and activate the changes.

airlock-config-applier

  • Restricted role that allows loading and activating already existing, saved configurations.

This role can be used for strict 4-eyes principle configuration workflows, where the airlock-config-editor makes initial configurational changes. Users with the role ​airlock-config-applier can then review and activate the changes.

airlock-app-operator

  • Restricted role that allows customization in maintenance work on back-end applications.
  • The role allows the maintenance page to be switched on/off and to adjust back-end host modes, spare flags, and weight.
  • Changes are only possible in the current (active) configuration.
  • Loading, saving, importing, or exporting is not allowed.

This role is for users who need to be able to turn maintenance pages on or off in the event of maintenance work on back-end applications or switch between redundant back-end hosts.

airlock-app-admin

  • Restricted role that allows configuration changes at the mapping level, including editing the connections of mappings to virtual hosts and back-end groups.
  • Configuration export and import are allowed for mappings only.

This role is for users who are responsible for integrating and maintaining application mappings when entry points (virtual hosts) and back-end groups are already defined.

airlock-cert-admin

  • Restricted role to manage and activate certificates in the current (active) configuration.

This role is intended for certificate management for Airlock Gateway and applications. This scope includes server certificates, client certificates, and their use, as well as local JWKS providers and the use of JWKS providers.

airlock-auditor

  • Restricted role that allows viewing, loading, import, and export configurations (except private key material).

This role is for auditors who are supposed to audit/review Airlock Gateway configurations, including the possibility to compare different configurations with each other.

airlock-readonly-session-viewer-details

  • Restricted role that allows read-only access to details of a session in the Session Viewer.
  • Includes read-only access to the current (active) configuration, including logs, and current sessions in the Session Viewer.

This role grants extended read-only access, including access to more sensitive information contained in the Session Viewer details.

airlock-readonly

  • Restricted role that provides access to the current (active) configuration, including logs, reports, and current sessions (Session Viewer).

This role grants read-only access for log evaluation and reporting.

airlock-readonly-restricted

  • Restricted role with access limited to the current (active) configuration.
  • Access to sensitive information is prohibited.

This role grants read-only access in cases where access to logs and other sensitive information should not be possible.

Actions

Action

airlock-administrator

airlock-config-editor

airlock-config-applier

airlock-app-operator

airlock-app-admin

airlock-cert-admin

airlock-auditor

airlock-readonly-session-viewer-details

airlock-readonly

airlock-readonly-restricted

Log in to the Configuration Center

x

x

x

x

x

x

x

x

x

x

Change own password

x

x

x

x

x

x

x

x

x

x

Activate configuration

x

x

x

x

x

Revalidate configuration

x

x

x

x

x

x

Load configuration

x

x

x

x

Save configuration

x

x

x

Export configuration

x

x

x (w/o private keys)

Import configuration

x

x

x

Export mapping

x

x

x

x

Import mapping

x

x

x

System Admin actions1

x

Upload update

x

Session Viewer list

x

x

x

x

x

x

x

x

Session Viewer details

x

x

Terminate session

x

Policy Learning

x

x

x

View logs

x

x

x

x

x

x

x

x

View reports

x

x

x

x

x

x

x

x

Dashboard → Proxy Statistics

x

x

x

x

x

x

x

x

Configuration summary

x

x

x

x

x

x

x

x

x

Manage add-on modules

x

1

Set time/date, shutdown/reboot, take offline, API key actions

Configuration management

Configuration item

airlock-administrator

airlock-config-editor

airlock-config-applier

airlock-app-operator

airlock-app-admin

airlock-cert-admin

airlock-auditor

airlock-readonly-session-viewer-details

airlock-readonly

airlock-readonly-restricted

License

RW

R

R

R

Nodes, Interface, Routes, Hosts

RW

RW

R

R

R

R

R

R

R

R

Network Services

RW

RW

R

R

R

R

R

R

R

R

Threat Intelligence

RW

R

R

R

R

R

R

R

R

IP Address Lists

RW

RW

R

R

R

R

R

R

R

Reverse Proxy (connections)

RW

RW

R

R

RW

R

R

R

R

R

Virtual Hosts

RW

RW

R

RW5

R

RW2

R

R

R

R

Mappings

RW

RW

R

RW5

RW

RW4

R

R

R

R

Back-end Groups

RW

RW

R

RW6

R

RW3

R

R

R

R

Anomaly Shield

RW

RW

R

R

R

R

R

R

R

R

Geolocation Filter

RW

RW

R

R

R

R

R

R

R

R

Certificates

RW

RW

R

R8

R8

RW1

R8

R8

R8

JWKS Providers

RW

RW

R

R8

R8

RW7

R8

R8

R8

Session Settings

RW

RW

R

R

R

R

R

R

R

R

Default Actions

RW

RW

R

R

R

R

R

R

R

R

Deny Rules

RW

RW

R

R

R

R

R

R

R

R

API Security

RW

RW

R

R

R

R

R

R

R

R

Dynamic IP Blacklist

RW

RW

R

R

R

R

R

R

R

R

Error Pages

RW

RW

R

R

R

R

R

R

R

R

Display Error Pages

RW

RW

R

R

R

R

R

R

R

R

Expert Settings

RW

RW

R

R

R

R

R

R

R

1

No write access to ACME Services.

2

Write access restricted to assigning certificates to virtual hosts or switching to ACME service (incl. e-mail), writing the HTTPS flag, the HTTPS port to VHosts, and the redirect flag HTTP → HTTPS.

3

Write access restricted to the assignment of client certificates to back-end groups.

4

Write access restricted to setting, removing and changing JWKS providers.

5

Write access restricted to enabling and deactivating maintenance pages.

6

Write access restricted to editing back-end host modes, spare flags, and weight.

7

Write access on JWKS local providers only (no write access to JWKS remote providers).

8

No viewing access details of certificates (client and server) and local JWKS.