Forum Discussion

Andrea_Arquint's avatar
Icon for Nimbostratus rankNimbostratus
Mar 29, 2012

iControl permissions

Hi there



Is it possible to set operator permissions to the icontrol api user on the F5 bigip?


I just want that icontrol requests are able only to enable or disable pool members.




thanx for help




6 Replies

  • Hi BB,



    iControl authentication and authorization is done based on the user account specified in the iControl calls. If you prevent someone from getting the admin credentials they wouldn't be able to use admin functionality via iControl. If you give someone the admin credentials they'd be able to make admin level changes via the GUI and/or iControl.



  • Hi hoolio



    Many thanx for your fast answer.


    Okay so iControl uses normal system permission based concept.






    thanx a lot




  • Hello



    I have a further question.




    We plan to use icontrol interface to stear pool member inactivation/activation via Microsoft's WFF (Web Farm Framework). The iControl api runs for example on a web server with IIS installed.




    How do I configure API access to a floating self-ip address?


    As far as I see it's only possible to access the bigip via 443 on a dedicated self-ip but not on a floating one.




    This means if someone wants to disable a pool member via icontrol he needs to know first, which bigip cluster member is the active one.




    Does that mean that the api developer needs to ask first which LTM is the active one?






    Many thanx for your help






  • Hi bb,



    You can enable port 443 in port lockdown on a floating self IP address and access the GUI and iControl API on the active unit without knowing which unit is active.



  • Hi again



    We configured user login via radius. Now, the problem is when I login with a radius user which has attributes set for a specific partition and operational permission then the user gets in via web interface correctly but via iControl the user stays in the common partition after sucessfull login.



    Does iControl login ignore radius assigned attributes?



    Kind regards


  • API requests will default to the "Common" partition unless you make a call to the Management.Partition.set_active_partition() method to change the current partition context. You can use the Management.UserManagement.get_my_permission() method to determine what partitions the current user has access to.