Forum Discussion
NimbostratusCan i assign multiple Roles in a Remote Role Group when integrating Active Directory with BIG-IP?
Hi All,
I'm integrating the Active Directory with the BIG-IP system (11.6.0 HF5) in order to use it as a remote authentication to manage the BIG-IP box. However, our client has a requirement of assigning multiple roles for a single user. For example, the user jsmith should have the roles of a Certificate Manager, User Manager, And Auditor. Is it possible to assign multiple user roles for a single user/remote role group in BIG-IP?
Also, can BIG-IP local authentication co-exist with Active Directory authentication?
I hope someone can help me with this implementation. Thank you!
4 Replies
Seth_CooperEmployee
Hi,
You can only have one role for a user in the remote role groups. Your best bet is to give the user the role with that covers what abilities they need to perform without giving them extra. You could also create multiple accounts per user (eg. user1_cert, user1_user, user1_audit) and then they can login with the user they need to perform their duties.
When you setup remote auth the only 2 users that will still auth locally are root (CLI) and admin (GUI). All other users will be sent to the remote auth for authentication.
Seth
daremigio_19877Hi Seth,
Thank you for the information. However, our client's AD administrator doesn't allow multiple usernames for a single user and therefore the suggestion of creating multiple usernames for a single user is not possible. Also, the only user role that will be able to do user management, certificate management and audit at the same time is an Administrator role. But the Administrator Role can also create VS,Pool,VLANs,etc. and our client doesn't want that user (ex: jsmith) to also be able to create VS,Pool,VLANs,etc. -_-
So i guess there is no other workaround for this kind of authentication requirements?
- Seth_CooperYour best bet is to open a case with support and ask to be attached to RFE ID 382849. This enhancement is to allow a more granular way to provision admin privileges. Currently the only workaround I know for this is to have multiple accounts for one user.
- daremigio_19877Thank you Seth. Just a follow-up question, you said that the only 2 user that can login locally are the root (CLI) and admin (GUI), does it include local users with an Administrator role?
