Edit Data Group Only Permissions

Question

Hi, 
&nbsp;  
&nbsp; I've been looking for a solution but so far haven't found any documentation on it, apologies if I've missed it! 
&nbsp;  
&nbsp; I would like a user to have permissions to only be able to edit a specific data group, or just the data groups. 
&nbsp;  
&nbsp; I thought the Irule editor may have a feature to do this as the available permissions through the gui didn't seem to be that specific.  
&nbsp;  
&nbsp; Could someone please let me know if there is such a feature available or if not through the irule editor am I able to alter permissions through the gui?? 
&nbsp;  
&nbsp; Any help is much appreciated. 
&nbsp;  
&nbsp; Thanks, 
&nbsp;  
&nbsp; Claire

hoolio · Answer

Hi Claire, 
&nbsp;  
&nbsp; I haven't tested this, but you might be able to do something like this using the admin GUI's role based administration.  You'd need to be running 9.4.0+: 
&nbsp;  
&nbsp; BIG-IP® Network and System Management Guide: 4 - Configuring Administrative Partitions 
&nbsp; https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip9_4mgmt/BIG_IP_9_4_nsm_guide-05-1.html 
&nbsp;  
&nbsp; And specifically this table mentions: 
&nbsp;  
&nbsp;  
&nbsp; https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip9_4mgmt/BIG_IP_9_4_nsm_guide-05-1.htmlwp1034086 
&nbsp;  
&nbsp; An iRule can reference any object, regardless of the partition in which the referenced object resides. For example, an iRule that resides in partition A can contain a pool statement that specifies a pool residing in partition B.  
&nbsp; &nbsp; 
&nbsp;  
&nbsp; I think you could create a new admin partition, create your limited access user account(s), and then create the datagroup in the new partition.  I think the iRule and VIP which reference the datagroup could be in any partition.  The user accounts would only be able to modify the datagroup that exists in their partition. 
&nbsp;  
&nbsp; Else, this is where the iControl API could come in handy.  You could create a web (or standalone) app which makes iControl calls to the BIG-IP to modify specific datagroups.  You could validate the user input and enforce your business logic within the app.  For more information, you can check this iControl page: (Click here) 
&nbsp;  
&nbsp; If you do arrive at a solution, can you reply so others will have more info on this? 
&nbsp;  
&nbsp; Thanks, 
&nbsp; Aaron

robert_47833 · Answer

I have tried to achieve simliar goal in my prod 
&nbsp; there is a default issue for this deployment 
&nbsp; 1:account with "manager" role can't save the config vis CLI............ 
&nbsp; 2:if I assign role "admin " or "resource admin" to an account(which can fix the CLI no-save issue in 1.),but by default this account can access to objects in common partition 
&nbsp; anyway I use perl to achieve this:limit access for some specific accounts and use "root" to save the config after each change made by these specific accounts

Forum Discussion

Edit Data Group Only Permissions

Recent Discussions

Default retry time inband monitor

how to monitor the axfr master response

Http / https health monitor issue

I used the wrong email account when take Application Delivery Exam (101)

F5 looses the token for the first call

Related Content

Insufficient permissions BIG-IQ login error

Re: Get Started with BIG-IP Virtual Edition (VE), BIG-IQ VE or BIG-IP Cloud Edition Trial

Installing BIG-IP Next on Nutanix Community Edition

Quick Optimizations for F5 BIG-IP Virtual Edition

Certified Kubernetes Administrator - Study Group

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS