Forum Discussion

jonwest1_uk's avatar
jonwest1_uk
Icon for Cirrus rankCirrus
Mar 19, 2019

icontrol-rest-fine-grained-role-based-access-control issues

I'm trying to restrict a User to access to a single iControl REST API as per this article https://devcentral.f5.com/articles/icontrol-rest-fine-grained-role-based-access-control-30773references

I'm using 12.1.2 and 13.0. After completing all of the steps (except 2) I find the user is still only restricted by the original role (tried Guest & Operator). I can still get all Virtual Servers/Rules/Pools. Resulting json looks OK to me. Has anyone else encountered this issue or got a solution?

User:

{
"name": "testuser",
"displayName": "testuser",
"generation": 5,
"lastUpdateMicros": 1552909186767674,
"kind": "shared:authz:users:usersworkerstate",
"selfLink": "https://localhost/mgmt/shared/authz/users/testuser"
}

Resource-Group:

{
"id": "95b9c24d-7dce-387d-8ac0-98a1ed1d72cb",
"name": "testGroup",
"resources": [
    {
        "resourceMask": "/mgmt/tm/ltm/rule/testrule/stats",
        "restMethod": "GET"
    }
],
"generation": 1,
"lastUpdateMicros": 1552909231985209,
"kind": "shared:authz:resource-groups:roleresourcegroupstate",
"selfLink": "https://localhost/mgmt/shared/authz/resource-groups/95b9c24d-7dce-387d-8ac0-98a1ed1d72cb"
}

Role

{
"name": "testRole",
"userReferences": [
    {
        "link": "https://localhost/mgmt/shared/authz/users/testuser"
    }
],
"resourceGroupReferences": [
    {
        "link": "https://localhost/mgmt/shared/authz/resource-groups/95b9c24d-7dce-387d-8ac0-98a1ed1d72cb"
    }
],
"lastUpdateMicros": 1552909264219779,
"kind": "shared:authz:roles:rolesworkerstate",
"selfLink": "https://localhost/mgmt/shared/authz/roles/testRole",
"generation": 7
}
devops
iControl
LTM
Super-NetOps
No RepliesBe the first to reply