IT Operations Management (ITOM)

3 use cases for Role-based access control in HP Network Automation

3 use cases for Role-based access control in HP Network Automation


Guest post by Niharika Sahu


Are you concerned about role-based access control (RBAC) in day-to-day network change, configuration, and compliance? Not to worry, here’s how HP Network Automation (HP NA) deals with RBAC…


Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within an enterprise. The concept of role-based access control began with multi-user and multi-application online systems. The main concept of RBAC is that permissions are associated with roles, and then users are assigned to appropriate roles. This approach greatly simplifies management of permissions, because there are generally fewer roles than users. Roles are created for the various job functions in an organization. Users are assigned roles based on their responsibilities. Users can be easily reassigned from one role to another. Roles can be granted new permissions as new applications and systems are incorporated, and permissions can be revoked from roles as needed.


Access control policy is embodied in various components of RBAC such as role permission, user-role and role-role relationships. These components collectively determine whether a particular user will be allowed to access a particular object in the system.


Experience Network Automation by downloading the free trial version here.


RBAC in HP Network Automation (HP NA):



The RBAC concept is implemented in NA by using security partitions. Partitions are logical containers that hold NA objects separately from the other partitions. Partitions are key to restricting access to NA objects.


The types of NA objects that can be grouped include users, user groups, devices, device groups, device password rules, command scripts, policies, diagnostics scripts, configuration templates, device templates, and software images.


Let’s understand some of the business cases where security partitions can be used...

1/ If you are a Managed Service Provider and need an exclusive setup for each of your customers…


For a Managed Service Provider (MSP) that manages multiple customer networks, security partitions can be used to restrict each customer’s objects from the view of the remaining customers.

If you are an MSP for a large banking institution and want to make the MSP users invisible to the bank’s user…


Partitions provide the ability to restrict the users who can view other users. By creating partitions for users and user groups, the users working for the Managed Service Provider can be rendered invisible to the bank’s users. (click for larger image)


You can create a user to be the Site Administrator (Site Admin) of Customer A. This user can have administrative privileges for all objects that belong to Customer A but will not have any access to the objects belonging to Customer B.


 Below is a high-level view of the procedure to implement this use case.


2/ Want to restrict the ownership of certain devices/device groups to a group of users?


Let’s first understand the meaning of “ownership of devices” here:

  • HP NA tracks and regulates configuration and software changes across various network devices.
  • HP NA can enforce security and regulatory policies at the network level by making sure that configurations comply with pre-defined standards.
  • Using HP NA, bulk configurations can be pushed to multiple devices using command scripts that run a set of commands (batch actions) on one or multiple active devices.
  • You can restrict the users who can manage the change, configuration, and compliance of a set of devices. For example, you can create partitions that allow a group of users to only manage and configure (command script execution, configuration change, policy check, and so on) the routers in the customer network, and another group of users to manage and configure the firewall devices in the network. The users managing routers do not have access to the firewall devices.

3/ Is load balancing a continuous push for your enterprise tools?



For load sharing, NA can be implemented in a Horizontal Scalability environment where more than one NA core distributes the load of managing devices. Partitions can determine which NA core manages which devices. The NA administrator assigns each partition to an NA core to distribute the device task load among the NA cores.








(click for larger image)


More about partitions in NA:

Partitions are always public groups. They can be placed within the device group hierarchy. If an object (such as device, device group, user, or user group) is added to a partition, it is automatically removed from the partition to which it previously belonged.


If a partition is deleted, all objects are automatically placed in the default partition (named Default Site) to ensure that any object appears in only one partition. Any reference to an IP address without an explicit partition uses the Default Site.


The following steps show how easy it is to implement the business case: “If you are an MSP and need an exclusive setup for each one of your customers” with HP Network Automation software.



1/ Create a new partition and associate devices.

  • Open the New Partition page (Admin > Security Partition > New Partition).
  • Create a partition for Customer A called SiteX and a partition for Customer B called
  • Associate the devices of Customer A and Customer B to SiteX and SiteY




2/ Create new users and assign them to the sites.

  • In the NA console, open the New User page (Admin > New user).
  • Set the Site field to SiteX for the users created for Customer A and to SiteY for the users created for Customer B.

3/ Edit device groups and devices to assign them to the partition.


                                                                              Device groups - Assign the device groups that belong to Customer A to SiteX and the device groups of Customer B to SiteY.





(click for larger image)



Devices - Assign the devices of Customer A and Customer B to SiteX and SiteY respectively.








(click for larger image)


4/ Create a new user group and associate devices, device groups, and users to that user group.


  • Create a new user group for Customer A – UG_CustomerA – on the New User Group page (Admin > New User group).
  • Set the Site field to SiteX.




  • Under Command Permissions, select Customized Command Permission Role, and then grant permission for the required commands.
  • To provide administrative access to SiteX to the users of this user group, click Grant All. By doing so the users of this user group become the Site Admin of SiteX.
  • Under Modify Device Permissions, select SiteX—the users of this user group can only modify the devices that belongs to SiteX.
  • Under View Partition Permissions, select SiteX as the partition—the users belonging to this group will have view permission to only those devices and device groups that belong to SiteX.
  • Add the users created for Customer A, and then save the form.


For creating the user group for Customer B, repeat these steps. Remember to select SiteY.


5/ Validate the setup

  • Log on to the NA console as the user created for Customer A.
  • Select Devices > Inventory—only those devices that are associated with SiteX are visible.
  • Select Admin > Users—only the users associated with SiteX are visible to this user.
  • Similarly, when you log on to the NA console as the user created for Customer B, you can view the devices, device groups, and users that are associated with SiteY, and you cannot view any objects associated with SiteX.

To learn more about the HP NA product, click here

Experience the product by downloading the free trial version here.



About the author: Niharika Sahu has 8 years of experience as a quality assurance engineer in HP. She has worked on multiple products in the BSM portfolio across the System and Network domains. She is currently working on HP Network Automation in the Network Management Center portfolio.



HP Network Automation   software automates the complete operational lifecycle of network devices from provisioning to policy-based change management, compliance, and security administration. Start your free trial today!



Tweet to us at  @HPITOps   and let us know what you think! | Friend HP Software on Facebook  | Join our Network Management Solutions



Michael Procopio Procopio
  • infrastructure management
About the Author


HPE Software Product Marketing. Over 20 years in network and systems management.


Fantastic blog post, Niharika. Full of useful and clearly presented information. Thanks for sharing. 


New Member.

Good insight to understand this feature

HPE Expert

Very nice Blog .