Forum Discussion
NimbostratusF5 Authorization
Hi,
Recently I deployed group based authentication via remote-role on by BigIP LTM v10. Basically I created two groups and F5-Admins and F5-Operators and assigned it to Network team and Operations team.
Network team - full access
Operations team - operator rold - enable / disable - nodes / pool
I learned that it is usually my Operation team who clears the cache on F5 to be precise they use this command
delete ltm profile ramcache This command requires admin rights to execute
So now we want to retain the current authorization model but want to permit users with operator role to execute this command. Is this possible? if yes can some one please assist me with configuration / commands/ reference
5 Replies
- boneyard
MVP
i don't believe you can, there is specific set of roles with their rights but nothing to enable certain right through that route.
perhaps you could do something via an external script that kicks off this command from a webserver or such. but from within the F5 profiles you won't.
Abhishek_05_163Thankyou boneyard. I think we might end up giving admin access to Operations user. External script from web-server is a good idea but we do not want to introduce additional object that we need to build / maintain / troubshoot.
Do you think using a tacacs+ or Radius server can help in this scenario.
- boneyard
i don't see how, you have a mapping to groups of commands. there is no possibility to create your own group or to include single commands. there aren't many systems that allow that. and somehow the groups and their rights never match with what i need :)
- Abhishek_05_163
Hmmm, seems like we've hit a dead-end.
I appreciate your quick replies boneyard.
- Nishanth_Singar
Hi Abhishek,
It is a best security practice to integrate your LTM with an external authentication service, here you may use Tacacs. Make sure you also have a admin account on your device, just in case if tacacs server goes down you wont loose access.
Regards
