Tags

Device Tags for Network Organization and Access Control in rConfig V8

Tags provide a flexible organizational framework for categorizing and managing devices within rConfig V8. Understanding how tags function within the platform enables administrators to create logical groupings that align with their network infrastructure, business requirements, and operational workflows.

What Are Tags?

Tags are custom labels that can be assigned to devices to create logical groupings independent of traditional hierarchical structures. Unlike categories or device types that follow predefined taxonomies, tags offer complete flexibility in how you organize your network infrastructure.

Why Use Tags?

Organizations benefit from tags in several key ways:

• Flexible Grouping: Create device collections based on any criteria relevant to your operations—geographic location, maintenance windows, vendor types, criticality levels, or project assignments
• Scheduled Task Targeting: Tags serve as selectors for Scheduled Tasks, enabling automated operations against specific device groups
• RBAC Integration: Assign role-based access controls to tags, ensuring users only interact with devices appropriate to their responsibilities
• Operational Efficiency: Quickly identify and act upon device subsets without complex filtering or manual selection

Common Tag Examples

Real-world implementations often include tags such as:

Routers Rocky94Servers Fortinet devices Production MaintenanceWindow-Sunday Critical-Infrastructure

Understanding Tag Architecture

Tag Relationships

Tags maintain a many-to-many relationship with devices, meaning:

• A single device can have multiple tags assigned
• A single tag can be assigned to unlimited devices
• Tag assignments are non-hierarchical and independent

This flexibility allows administrators to create overlapping organizational schemes. For example, a firewall might simultaneously carry tags for “Security-Devices”, “Perimeter”, “Chicago-Office”, and “Maintenance-Tuesday”.

Tag Integration Points

Tags integrate with several rConfig V8 subsystems:

Scheduled Tasks: Tasks can target devices by tag, executing configuration backups, compliance checks, or script operations against all devices carrying a specific tag.

Role-Based Access Control (RBAC): Roles can be associated with tags to restrict user visibility and operations to specific device subsets.

Device Management: Tags appear in device listings and detail views, enabling quick identification and filtering.

Reporting: Future reporting capabilities will leverage tags for generating targeted reports and analytics.

Adding and Editing Tags

Creating a New Tag

Navigate to the Tags management interface from the main administration menu:

1. Access Tags Management: Select Admin → Tags from the navigation menu
2. Initiate Creation: Click the Add Tag button
3. Define Tag Properties:
   • Tag Name: Enter a descriptive, meaningful name following your organization’s naming conventions
   • Description (optional): Provide context about the tag’s purpose and intended use
   • Color (optional): Select a visual identifier for quick recognition in the interface
4. Configure RBAC (if applicable): Assign roles that should have access to devices with this tag
5. Save the Tag: Click Save to create the tag

Tip

Establish naming conventions before creating tags. Consistent naming patterns such as “Location-CityName”, “Type-DeviceCategory”, or “Schedule-WindowName” improve long-term maintainability and reduce confusion as your tag library grows.

Editing Existing Tags

To modify a tag’s properties:

1. Navigate to Admin → Tags
2. Locate the target tag in the list
3. Click the Edit icon or tag name
4. Modify the desired properties
5. Click Save to apply changes

Changes to tag properties (name, description, color) apply immediately across all associated devices and scheduled tasks.

Assigning Tags to Devices

Tags can be assigned to devices through multiple workflows:

During Device Creation: Select applicable tags from the available list when adding a new device through Devices → Add Device.

Bulk Assignment: Use the device management interface to select multiple devices and apply tags in a single operation:

1. Navigate to Devices → Device List
2. Select target devices using checkboxes
3. Choose Bulk Actions → Assign Tags
4. Select tags to apply
5. Confirm the operation

Individual Device Edit: Modify tags for a single device by editing the device record and updating the tags field.

Tag-Based Scheduled Tasks

Tags serve as powerful selectors for automated operations. When configuring scheduled tasks, administrators can target devices by tag rather than manually selecting individual devices.

Configuring Task Tag Selectors

When creating or editing a Scheduled Task:

1. In the Target Devices section, select By Tag
2. Choose one or more tags from the available list
3. The task will execute against all devices currently assigned the selected tags

Note

Task execution is dynamic. If devices are added to or removed from a tag after task creation, subsequent task executions automatically reflect the current tag membership. This eliminates the need to update tasks when device assignments change.

Use Case Example: Maintenance Windows

Organizations can implement tag-based maintenance scheduling:

Scenario: Configuration backups for different device groups must occur during specific maintenance windows to avoid impacting business operations.

Implementation:

1. Create tags: Maintenance-Sunday-0200, Maintenance-Tuesday-2300, Maintenance-Saturday-0400
2. Assign devices to appropriate maintenance window tags based on operational requirements
3. Create scheduled tasks targeting each maintenance window tag
4. Schedule task execution times to align with maintenance windows

Result: As network topology evolves and devices move between maintenance windows, administrators simply reassign tags rather than reconfiguring multiple scheduled tasks.

Deleting Tags

Tag deletion is a non-destructive operation with specific implications:

Deletion Process

1. Navigate to Admin → Tags
2. Locate the tag to delete
3. Click the Delete icon
4. Confirm the deletion when prompted

Impact of Tag Deletion

Device Associations: Removing a tag does not delete or modify devices. The tag assignment is simply removed from all associated devices, but the devices remain in the system unchanged.

Scheduled Tasks: This is the primary consideration when deleting tags. If scheduled tasks reference the deleted tag:

• The task configuration becomes invalid
• The task may fail to execute or execute against zero devices
• Manual task reconfiguration is required

Caution

Before deleting a tag, verify no active scheduled tasks reference it. Navigate to Tasks → Scheduled Tasks and search for the tag name to identify dependent tasks. Reconfigure or delete affected tasks before proceeding with tag deletion.

Role-Based Access Control (RBAC) with Tags

rConfig V8 integrates tags with its RBAC system, enabling fine-grained access control based on device groupings.

Understanding Tag-Based RBAC

When roles are assigned to tags, the system enforces visibility and operational restrictions:

Visibility Control: Users only see devices where their assigned role matches at least one role on the device’s tags.

Operational Boundaries: Users can only perform actions (backup, edit, delete) on devices visible to their role.

Hierarchical Consideration: Tag-based RBAC works in conjunction with other RBAC mechanisms in rConfig V8, creating layered access control.

Configuring Tag RBAC

To assign roles to a tag:

1. Navigate to Admin → Tags
2. Edit the target tag
3. In the Roles section, select which roles should have access to devices with this tag
4. Save the tag configuration

RBAC Use Case Example

Scenario: A managed service provider supports multiple clients with a shared rConfig instance. Each client’s devices must be isolated from other clients’ visibility.

Implementation:

1. Create client-specific tags: Client-ACME, Client-GloboCorp, Client-TechStart
2. Create corresponding roles: ACMEAdmins, GloboCorpAdmins, TechStartAdmins
3. Assign each client role to their respective tag
4. Assign user accounts to appropriate client roles
5. Tag devices according to client ownership

Result: Users only see and can operate on devices belonging to their client, ensuring data isolation and security.

Tip

Combine tag-based RBAC with descriptive naming conventions. For example, prefix all client tags with “Client-” and all location tags with “Location-” to clearly indicate RBAC boundaries versus organizational categorization.

Best Practices

Tag Naming Conventions

Establish and document consistent naming patterns:

Hierarchical Prefixes: Use prefixes to create logical categories

• Type-Router, Type-Switch, Type-Firewall
• Location-NYC, Location-LON, Location-SYD
• Vendor-Cisco, Vendor-Juniper, Vendor-Fortinet

Descriptive Suffixes: Add context that aids in identification

• Status-Production, Status-Staging, Status-Decommissioned
• Priority-Critical, Priority-Standard, Priority-Low

Avoid Ambiguity: Be specific enough to prevent misinterpretation

• Poor: Important, Group1, Set-A
• Better: Critical-Infrastructure, FrontEnd-Routers, Backup-Set-Daily

Tag Management Strategy

Start Broad, Refine Later: Begin with general tags and create more specific tags as patterns emerge in your operational needs.

Regular Audits: Periodically review tag usage to identify:

• Orphaned tags (no devices assigned)
• Duplicate or overlapping tags
• Tags referenced by inactive scheduled tasks
• Opportunities for consolidation

Documentation: Maintain a tag registry documenting:

• Tag purpose and intended use
• Associated scheduled tasks
• RBAC implications
• Creation date and owner

Avoid Tag Proliferation: Resist creating tags for every conceivable categorization. Too many tags create confusion and maintenance overhead. Focus on tags that serve operational purposes.

Security Considerations

RBAC Verification: When implementing tag-based access control, test thoroughly to ensure users see only intended devices. Misconfigured RBAC can inadvertently expose or hide critical infrastructure.

Scheduled Task Dependencies: Before modifying or deleting tags used in scheduled tasks, assess the impact on backup schedules, compliance checking, and automated operations.

Audit Logging: Monitor tag assignment changes through rConfig’s audit logs, particularly in environments where tag-based RBAC enforces security boundaries.

Troubleshooting

Common Issues and Resolutions

Symptom: Scheduled task executes against zero devices despite tag having device assignments

Cause: Tag was deleted and recreated with the same name. The task references the old tag ID, not the new tag.

Resolution: Edit the scheduled task and reselect the tag, even though it appears correct. This updates the task to reference the current tag ID.

---

Symptom: User cannot see devices they should have access to based on their role

Cause: Tag-based RBAC is filtering devices. The user’s role is not assigned to the tags on the target devices.

Resolution:

1. Verify user’s assigned roles in Admin → Users
2. Check tags assigned to the target devices
3. Edit relevant tags to include the user’s role
4. Alternatively, assign additional roles to the user that match device tags

---

Symptom: Device appears multiple times in scheduled task execution logs

Cause: Device has multiple tags assigned, and the scheduled task selects multiple tags that all include the same device.

Resolution: This is expected behavior. The scheduled task deduplicates devices automatically, so the device is only processed once despite appearing in multiple tag selections. Review task execution logs to confirm only one actual operation occurred per device.

---

Symptom: Tag color changes don’t appear in the interface

Cause: Browser cache or CSS caching may be serving old color definitions.

Resolution: Clear browser cache and refresh the page. If using a reverse proxy or CDN, flush those caches as well.

Advanced Tag Strategies

Multi-Dimensional Tagging

Organizations can implement overlapping tag schemes to enable flexible device selection:

Example Structure:

• Vendor Dimension: Vendor-Cisco, Vendor-Juniper, Vendor-Arista
• Location Dimension: Location-Datacenter1, Location-Branch-West, Location-CloudRegion-USEast
• Function Dimension: Function-Core, Function-Distribution, Function-Access
• Maintenance Dimension: Maint-Window1, Maint-Window2, Maint-Emergency-Approved

A device might carry: Vendor-Cisco, Location-Datacenter1, Function-Core, Maint-Window1

This enables scheduled tasks to target precise device subsets:

• “All Cisco devices in Datacenter1” (intersection of two tags)
• “All core devices regardless of vendor” (single tag)
• “All devices in Window1 maintenance schedule” (single tag)

Tag Lifecycle Management

As network infrastructure evolves, tags require lifecycle management:

Deprecation Process:

1. Identify tags no longer serving operational purposes
2. Create replacement tags if needed
3. Migrate device assignments from old to new tags
4. Update scheduled task references
5. Archive or delete deprecated tags

Version Control: For organizations managing multiple network generations, version tags in naming:

• Generation-Legacy, Generation-Current, Generation-NextGen

This enables targeted operations as infrastructure transitions.

Quick Reference

Tag Management Operations

Operation	Path	Notes
Create Tag	Admin → Tags → Add Tag	Define name, optional description, color, and RBAC
Edit Tag	Admin → Tags → Edit	Modify properties; changes apply immediately
Delete Tag	Admin → Tags → Delete	Non-destructive to devices; impacts scheduled tasks
Assign to Device	Devices → Edit Device	Select from available tags
Bulk Assign	Devices → Device List → Bulk Actions	Apply tags to multiple devices
View Tag Usage	Admin → Tags	Shows device count per tag

Tag-Based Task Configuration

Task Type	Tag Selection	Behavior
Configuration Backup	Select one or more tags	Backs up all devices with any selected tag
Compliance Check	Select one or more tags	Runs compliance against all tagged devices
Script Execution	Select one or more tags	Executes script on all tagged devices

RBAC Configuration

Requirement	Implementation
Client Isolation	Create client-specific tags, assign client roles to tags
Department Access	Create department tags, assign department roles
Support Tier Access	Create tier-based tags (Tier1, Tier2, Tier3), assign appropriate roles
Geographic Restrictions	Create location tags, assign region-specific roles

Integration with Other rConfig Features

Scheduled Tasks

Tags serve as the primary device selector mechanism for Scheduled Tasks, enabling dynamic, automated operations against logical device groups.

Device Management

Tags appear throughout the device management interface, providing quick visual identification and filtering capabilities in device listings and search results.

Script Integration Engine (SIE)

When executing scripts through SIE, administrators can target devices by tag, enabling automated network operations and data collection against specific device subsets.

Compliance and Auditing

Future compliance features will leverage tags to define compliance scopes, applying policy checks against tagged device groups.

Summary

Tags provide the organizational flexibility essential for managing complex, dynamic network infrastructures. By understanding tag architecture, RBAC integration, and operational best practices, administrators can build logical device groupings that adapt to evolving business requirements without rigid hierarchical constraints.

Key Takeaways:

• Tags offer flexible, non-hierarchical device organization independent of traditional categories
• Tag-based scheduled task targeting enables dynamic automation that adapts as device assignments change
• RBAC integration with tags provides fine-grained access control for multi-tenant or segmented environments
• Effective tag strategies require planning, naming conventions, and ongoing lifecycle management
• Tags integrate deeply with rConfig V8’s automation, access control, and future compliance capabilities

For questions about implementing tag strategies for your specific environment, contact rConfig support or consult with your account team about enterprise deployment planning.