Does the F5 maybe have a way to allow all regular admin actions to be performed except exporting certificates ?

Question

Hi experts &nbsp;I have a question.&nbsp;If certificates (keys are exported in CLI or in the GUI, what options do we have to log these actions or prevent these actions ?Does the F5 maybe have a way to allow all regular admin actions to be performed except exporting certificates (keys) and give this right to a certain special account.&nbsp;Thank you !

alexbct · Answer

Hi Abdy, &nbsp;I don't think there's such a role on the BigIP's. As administrator you have full access to everything - there is no way to specifically exclude certain features. See here for the full overview of user roles; https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-systems-user-account-administration/user-roles.html&nbsp;There is a role that ONLY has access to the certificate management though; Certificate Manager, though I suspect that one on its own won't be of much use for your use case. &nbsp;Have you got any BigIQ's? (F5 centralized management platform) Its RBAC system is much more granular than the BigIP's and you can configure user and group access even on a per-object basis and may give you the granularity you are looking for. &nbsp;Hope this helps.

steve11 · Answer

Hello Alex,&nbsp;Very clear answer, thanks a lot for your feedback.&nbsp;Have a good day !

Forum Discussion

Does the F5 maybe have a way to allow all regular admin actions to be performed except exporting certificates ?

Recent Discussions

Big IP DNS Failover

AS3 Limitations

Diameter iRules attachment?

Help needed with iRule (connection closed log )

Use of SSL Decryption.

Related Content

Automating ACMEv2 Certificate Management on BIG-IP

F5 Distributed Cloud JA4 detection for enhanced performance and detection

Help F5 Transform the BIG-IP Administrator Certification

Re: Management Certificate

Understanding Performance Metrics and Network Traffic

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS