Forum Discussion

Mollusk7796's avatar
Icon for Nimbostratus rankNimbostratus
May 17, 2023

big-IQ custom role-type for web application firewall

Dear all,

We want to allow our users to review, modify and deploy their web application firewall policy on the big-IQ.
The default roles do not allow for this; because they also allow the users to create and delete policy's.

I think this can be done by creating a custom Role Type, combined with the `Resource Group deployer` and a resource group containing only the WAF policy's they have access too.

I have created this role type:

Which does nearly everything I need, except that i get the following error when deploying:

Deployment does work when I combine the `Web App Security Manager` role with the `resource group deployer`. But then the user is also allowed to create new waf policies.

Does anybody know which permissions I am missing from the role type?


5 Replies

  • Raise a ticket with F5. They are the only people who will have the knowlege on the limitations of combining permission sets.

  • To create a custom role-type for the Web Application Firewall (WAF) in BIG-IP's BIG-IQ Centralized Management platform, you can follow these general steps:

    Log in to your BIG-IQ Centralized Management platform using administrative credentials.

    Navigate to the "Access" section or the "Security" section, depending on the version of BIG-IQ you are using.

    Locate the section related to roles or user management. In this section, you should find an option to create a new role or role-type.

    Click on the option to create a new role or role-type.

    Provide a name for the custom role-type that represents its purpose, such as "WAF Administrator" or "WAF Manager."

    Define the permissions and access rights for the custom role-type. The specific permissions will depend on your requirements and the level of access you want to grant to WAF-related resources and features.

    Ensure that the custom role-type has appropriate access to WAF-related functionalities, such as creating and managing WAF policies, managing security rules, configuring application profiles, and accessing WAF reporting and analytics.

    Save the custom role-type configuration.

    Once you have created the custom role-type, you can assign it to specific users or groups within your BIG-IQ environment. These users or groups will then have the defined permissions and access rights associated with the custom role-type, allowing them to manage the WAF functionality based on their assigned role.

    It's important to note that the specific steps and options for creating custom role-types may vary depending on the version of BIG-IQ you are using. It's recommended to refer to the official documentation or user guide for your specific version of BIG-IQ for detailed instructions on creating custom role-types and configuring WAF-related permissions and access rights.

  • No not really.
    It was a nice explanation of how to make a custom role, but nothing on what permissions are needed for my requirements.

    ill make a support ticket.