CoPilot User Account Administration
This section discusses user accounts for Aviatrix CoPilot and user account permissions required to use CoPilot features and functionality.
Users should be granted only the permissions needed to perform their work. Review user privileges on a routine basis to confirm they are appropriate for current work tasks. |
If you use an identity provider (IdP) to allow users to log in to Aviatrix Controller via SAML authentication, you can also allow users to log in to Aviatrix CoPilot via SAML authentication. See Set Up SAML Login for CoPilot.
About User Account to be Used as CoPilot Service Account
Aviatrix CoPilot requires a service account. The service account is used to retrieve data and make changes on Controller without a logged-in user. You need to create the service account in Aviatrix Controller. See Create Your CoPilot Service Account.
Each permission group has its own relevant privileges. To access CoPilot features, the CoPilot service account must be assigned corresponding permissions.
The CoPilot ThreatIQ and Distributed Cloud Firewall features require that the CoPilot service account have a minimum of all_firewall_network_write
permissions (added Firewall Network as the permission group).
The CoPilot gateway scaling feature requires a minimum of all_gateway_write
permissions(added Gateway as the permission group).
You must add these two permissions to your CoPilot service account if you want to use ThreatIQ, Distributed Cloud Firewall and Gateway features to manage your spokes and transits.
To have full access of all CoPilot features, the service account must be assigned all_write
permission (added AllWrite
as the permission group).
During initial setup of CoPilot, you are prompted to specify the user account to be used as the CoPilot service account.
About CoPilot User Accounts
This section describes user accounts for CoPilot and permissions required for some features.
All valid user accounts created on Aviatrix Controller can log in to Aviatrix CoPilot.
For a user to enable ThreatIQ alerts or ThreatIQ blocking in CoPilot, they must log in to CoPilot with a user account that has all_write or all_security_write permissions.
CoPilot Read-Only Access Views
CoPilot hides/disables some actions in the UI for users logging in with a read-only account. The read_only
permission group is a built-in permission group. It allows only full read access.
Controller user accounts that belong to a group that has read_only permissions cannot perform actions, such as:
-
Deleting change-set data (Topology Replay)
-
Creating and deleting scaling policies (Performance)
-
Resolving and deleting alerts (Notifications)
-
Creating and deleting network domains (Security)
For actions that are reserved for groups with all_write and all_security_write permissions, see Permissions Required for CoPilot Features.
User accounts with read-only permissions are able to perform the following tasks:
-
Saving and deleting filter groups (FlowIQ)
-
Saving and deleting topology layouts (Topology)
Permissions Required for CoPilot Features
The CoPilot ThreatIQ and Distributed Cloud Firewall features require that the CoPilot service account have a minimum of all_firewall_network_write permissions.
The CoPilot gateway scaling feature requires a minimum of all_gateway_write
permissions to manage the spokes and transits.
The admin permissions (all_write
) have full access to all CoPilot features. The admin permissions are required to perform the following:
-
Adding, changing, or deleting Aviatrix networking constructs and policies
-
Enabling CoPilot add-on features.