Introduction to RBAC V3 and Service Account allowlisting

With release 125, General Availability (GA) was announced for two key features:

• Endpoint-specific allowlisting: This feature enhances security by allowing IP allowlists to be configured at a more granular, endpoint-specific level.

• Enhanced RBAC V3 authorization service: A new version of the Role-Based Access Control service.
  https://docs.netskope.com/en/netskope-release-note-version-125-0-0#general-availability-of-endpoints-specific-allowlisting

The RBAC V3 service is not enabled by default in tenants upon release. It is being rolled out progressively.

A significant change accompanying the introduction of RBAC V3 is the deprecation of the previous Rest API V2 token provisioning workflow.

• Previous Method: Historically, API tokens were provisioned through the user interface by navigating to Tools -> Rest API V2.

• Impact of RBAC V3 Enablement: Once RBAC V3 functionality is activated on a tenant, the aforementioned Rest API V2 token provisioning workflow becomes unavailable. This change is documented in the product release notes.

  • For instance, if SCIM (System for Cross-domain Identity Management) settings for user provisioning previously guided users to the Rest API V2 token provisioning process, these UI elements (such as enablement status, global rate limiting, and the option to provision new tokens via this old method) will no longer be visible or functional.

• The workflow for Rest API V2 token provisioning is being deprecated. Future token provisioning must be performed using the new service account creation and management process, which is integrated with RBAC V3.

Configuring Roles for RBAC V3

With RBAC V3 enabled on a tenant, role configuration is managed through a new UI.

To create and configure a new role for service accounts, such as for SCIM integration or ADM Porter:

1. Navigate to Administration > Roles.

2. Initiate the creation of a new role.

3. Assign a descriptive name to the role (e.g., skim_provisioner).

4. Under permission categories, select Administration.

   • For machine-based accounts, UI access is typically not required. It is recommended to select only the necessary API endpoints.

   • Deselect permissions for UI functions and other non-essential operations that might be included in default permission presets. The UI will display the associated API endpoints for the selected permissions on the right-hand side.

   • Permissions are now assigned at the role level, rather than selecting individual API endpoints directly.

5. Configure the necessary permissions for the intended service.

   • For SCIM integration, the Users and Group APIs are required. Set the permission level for these to Manage, as specified in the End-of-Life (EOL) and enablement documentation.

6. Deselect all other permissions not explicitly required for the role's function.

7. Save the role.

Role-Based IP allowlisting:

Once the role is created, an IP allowlist can be configured specifically for that role. This is a new feature introduced with RBAC V3.

1. Access the newly created role's settings.

2. Locate the IP Allowlist section.

3. This feature enables role-based allowlisting, which can be configured using:

   • Custom IP addresses.

   • A CSV file containing a list of IP addresses.

4. The IP addresses must be IPv4.

   • Formatting Requirements:

     • IP addresses should be space-delimited.

     • Remove any quotation marks (e.g., from JSON objects).

     • Exclude any IPv6 addresses.

   • Example: A list of IPv4 addresses from Microsoft Entra ID documentation can be used after ensuring it meets these formatting requirements.

5. Enable the IP allowlist for the role.

Key Consideration:

• The role-based IP allowlist supersedes any previously configured global IP allowlisting settings.

Creating and Managing Service Accounts & Tokens

After a role has been provisioned, a service account can be created and associated with it.

Creating a Service Account

1. Navigate to Administration.

2. Click on Service Account.

3. Assign a name to the service account. For example, "skim provisioner" if it's for SCIM integration.

4. Select the RBAC V3 role that was previously created and configured (e.g., the role specifically set up for SCIM access with necessary API permissions).

5. During the service account configuration, you will make a selection related to API Token Expiration.

6. Specify the token's expiration period. For example, the token can be provisioned for 12 months.

7. Click Create to finalize the service account and generate its associated API token.

Managing the API Token

• Initial Token Access:

  • Upon successful creation of the service account, the API token will be displayed.

  • It is critical to copy this token immediately. This is the only time the full token will be visible and retrievable.

• Token Lifecycle Management:

  • Once the service account is created, its associated token can be managed.

  • The available management options for an existing token include:

    • Generate it again: This action creates a new token, effectively replacing and invalidating the previous one.

    • Change the expiration date: Modify the token's validity period as needed.

    • Revoke the key: Permanently disable the token, preventing any further use of the key associated with that service account.

The previous workflow for provisioning API tokens via the Rest API V2 interface (historically accessed via Tools > Rest API V2) is being deprecated. All API token provisioning must now be performed by creating a service account and generating a token through the RBAC V3 service account provisioning process detailed here.

Updating SCIM Integration with RBAC V3

To migrate an existing SCIM integration (e.g., with Okta) to use a new RBAC V3 service account and token, follow these steps:

1. Access SCIM Provisioning Settings:

   • Navigate to your SCIM application's user provisioning or user enrollment settings within your identity provider (e.g., Okta).

2. Edit Provisioning Configuration:

   • Locate the option to edit the SCIM provisioning settings.

3. Update API Token:

   • Input the new API token that was generated when creating the service account under RBAC V3. This token replaces any previous tokens used for the integration.

4. Update Base URL:

   • Modify the SCIM base URL to point to the new service endpoint. The older SCIM service URL is being deprecated and will no longer function.

5. Test Connection:

   • After updating the token and base URL, test the connection to ensure the SCIM integration is working correctly with the new credentials and endpoint.

Troubleshooting Connection Errors:

• If you encounter an error when testing the connection, it may be related to IP allowlisting.

• The RBAC V3 role associated with the service account can have a specific IP allowlist. This role-based allowlist supersedes any global IP allowlist configurations.

• Ensure that the IP addresses used by your SCIM provider (e.g., Okta, Microsoft Entra ID) are included in the IP allowlist configured for the role.

  • For example, if the IP allowlist for the role was configured with IP addresses for Microsoft Entra ID, but the SCIM integration being tested is with Okta (which uses different IP addresses), the connection may fail due to the IP mismatch.

• Verify that the correct set of IPv4 addresses for your specific SCIM provider has been added to the role's IP allowlist.

Understanding and Implementing RBACv3 for SCIM Provisioning

This guide delves into the specifics of Netskope's RBACv3 framework, detailing the crucial changes for API token management and how to integrate it with your SCIM provisioning. Learn about setting up role-based permissions and granular IP allowlisting for enhanced security.
https://support.netskope.com/s/article/SCIM-Allowlist-and-RBAC-V3-Instructions