iControl REST Fine-Grained Role Based Access Control

I am inclined to agree with Olivier here. Unfortunately I don't have a unit to run tests on, but if I have understood the above article correctly, the fine-grained security control put in place here only applies to API requests.

As an example, Satoshi mentions giving access to the stats for a particular virtual server - which happens to be the exact use-case I have. To view stats normally, a user needs a role with administrative level privileges (which I can't make sense of, but that's another story!). Based on the example in the article, I am therefore concluding the role assigned to my user in the first step would need to be an administrative role. I would then create a new custom role as described above, attach the user to the custom role and apply the required restrictions (ie. GET only) via the custom resource-group mapped to the custom role.

I understand this works for API requests. However, my confusion is over how (or if) this new role has any effect on the new users' ability to login to the Configuration Utility? If the custom role has no bearing on login to the config utility, then I've just given a user GUI admin privileges when all I wanted was to let them see stats.

Very happy to be corrected if I've misunderstood something here.

Cheers.