RBAC Filter


Role-Based Access Control (RBAC) is used to protect access to the API Gateway management services. For example, management services are invoked when a user accesses the server using the Policy Studio or the API Gateway Manager tools (https://localhost:8090/). For more information, see Configuring Role-Based Access Control (RBAC).

The RBAC filter is used in the Protect Management and Policy Director Interfaces policy to perform the following tasks:

  • Read the user roles from the configured message attribute (for example, authentication.subject.role).

  • Determine which management service URI is currently being invoked.

  • Return true if one of the roles has access to the management service currently being invoked, as defined in the acl.json file.

  • Otherwise, return false, and the Return HTTP Error 403: Access Denied (Forbidden) policy is called. The message content of this filter is shown when a valid user has logged into the browser, but their roles do not give them access to the URI they have invoked. For example, this occurs if a new user is created and they have not yet been assigned any roles.


Configure the following settings:


Enter an appropriate name for this filter.

Role Attribute:

Select or enter the message attribute that contains the user roles. Defaults to authentication.subject.role.