For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Techchic_108423's avatar
Techchic_108423
Icon for Nimbostratus rankNimbostratus
Feb 13, 2009

Edit Data Group Only Permissions

Hi,

 

 

I've been looking for a solution but so far haven't found any documentation on it, apologies if I've missed it!

 

 

I would like a user to have permissions to only be able to edit a specific data group, or just the data groups.

 

 

I thought the Irule editor may have a feature to do this as the available permissions through the gui didn't seem to be that specific.

 

 

Could someone please let me know if there is such a feature available or if not through the irule editor am I able to alter permissions through the gui??

 

 

Any help is much appreciated.

 

 

Thanks,

 

 

Claire
application delivery
devops
irule editor
iRules

2 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Feb 17, 2009
    Hi Claire,

     

     

    I haven't tested this, but you might be able to do something like this using the admin GUI's role based administration. You'd need to be running 9.4.0+:

     

     

    BIG-IP® Network and System Management Guide: 4 - Configuring Administrative Partitions

     

    https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip9_4mgmt/BIG_IP_9_4_nsm_guide-05-1.html

     

     

    And specifically this table mentions:

     

     

     

    https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip9_4mgmt/BIG_IP_9_4_nsm_guide-05-1.htmlwp1034086

     

     

    An iRule can reference any object, regardless of the partition in which the referenced object resides. For example, an iRule that resides in partition A can contain a pool statement that specifies a pool residing in partition B.

     

     

     

     

    I think you could create a new admin partition, create your limited access user account(s), and then create the datagroup in the new partition. I think the iRule and VIP which reference the datagroup could be in any partition. The user accounts would only be able to modify the datagroup that exists in their partition.

     

     

    Else, this is where the iControl API could come in handy. You could create a web (or standalone) app which makes iControl calls to the BIG-IP to modify specific datagroups. You could validate the user input and enforce your business logic within the app. For more information, you can check this iControl page: (Click here)

     

     

    If you do arrive at a solution, can you reply so others will have more info on this?

     

     

    Thanks,

     

    Aaron
  • Robert_47833's avatar
    Robert_47833
    Icon for Altostratus rankAltostratus
    Apr 08, 2013
    I have tried to achieve simliar goal in my prod

     

    there is a default issue for this deployment

     

    1:account with "manager" role can't save the config vis CLI............

     

    2:if I assign role "admin " or "resource admin" to an account(which can fix the CLI no-save issue in 1.),but by default this account can access to objects in common partition

     

    anyway I use perl to achieve this:limit access for some specific accounts and use "root" to save the config after each change made by these specific accounts