iControlREST access for user other than admin

Question

Hi! I can login to the GUI with both the admin account and a separate account I created. Both have the same permissions in the GUI.&nbsp;If I try to access the REST interface with both users, I get two different results:&nbsp;With the "admin" user it looks good:&nbsp;curl -sk -u 'admin:passwd' -H "Content-Type: application/json" https://192.168.1.110/mgmt/tm/ltm/pool |python -m json.tool
{
    "items": [
        {
            "allowNat": "yes",
            "allowSnat": "yes",
            "appService": "/Common/Test-iApp.app/Test-iApp",
            "fullPath": "/Common/Test-iApp.app/Test-iApp_pool",
            "generation": 234,
            "ignorePersistedWeight": "disabled",
            "ipTosToClient": "pass-through",
            "ipTosToServer": "pass-through",
            "kind": "tm:ltm:pool:poolstate",
            "linkQosToClient": "pass-through",
            "linkQosToServer": "pass-through",
            "loadBalancingMode": "least-connections-member",
            "membersReference": {
                "isSubcollection": true,
                "link": "https://localhost/mgmt/tm/ltm/pool/~Common~Test-iApp.app~Test-iApp_pool/members?ver=11.6.1"
            },
            "minActiveMembers": 0,
            "minUpMembers": 0,
            "minUpMembersAction": "failover",
            "minUpMembersChecking": "disabled",
            "monitor": "/Common/Test-iApp.app/Test-iApp_http_monitor ",
            "name": "Test-iApp_pool",
            "partition": "Common",
            "queueDepthLimit": 0,
            "queueOnConnectionLimit": "disabled",
            "queueTimeLimit": 0,
            "reselectTries": 0,
            "selfLink": "https://localhost/mgmt/tm/ltm/pool/~Common~Test-iApp.app~Test-iApp_pool?ver=11.6.1",
            "serviceDownAction": "none",
            "slowRampTime": 300,
            "subPath": "Test-iApp.app"
        }
    ],
    "kind": "tm:ltm:pool:poolcollectionstate",
    "selfLink": "https://localhost/mgmt/tm/ltm/pool?ver=11.6.1"
}Now, if I change the username:&nbsp;curl -sk -u 'otheruser:passwd' -H "Content-Type: application/json" https://192.168.1.110/mgmt/tm/ltm/pool |python -m json.tool
{
    "code": 401,
    "errorStack": [
        "java.lang.SecurityException: Authorization failed: user=https://localhost/mgmt/shared/authz/users/otheruser resource=/mgmt/tm/ltm/pool verb=GET uri:http://localhost:8100/mgmt/tm/ltm/pool referrer:192.168.1.15 sender:192.168.1.15",
        "at com.f5.rest.workers.ForwarderWorker.failPermissionValidation(ForwarderWorker.java:565)",
        "at com.f5.rest.workers.ForwarderWorker.evaluateUserPermission(ForwarderWorker.java:633)",
        "at com.f5.rest.workers.ForwarderWorker.evaluatePermission(ForwarderWorker.java:537)",
        "at com.f5.rest.workers.ForwarderPassThroughWorker.onForward(ForwarderPassThroughWorker.java:202)",
        "at com.f5.rest.workers.ForwarderPassThroughWorker.onGet(ForwarderPassThroughWorker.java:370)",
        "at com.f5.rest.common.RestWorker.callDerivedRestMethod(RestWorker.java:1009)",
        "at com.f5.rest.common.RestWorker.callRestMethodHandler(RestWorker.java:976)",
        "at com.f5.rest.common.RestServer.processQueuedRequests(RestServer.java:889)",
        "at com.f5.rest.common.RestServer.access$000(RestServer.java:43)",
        "at com.f5.rest.common.RestServer$1.run(RestServer.java:165)",
        "at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)",
        "at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)",
        "at java.lang.Thread.run(Thread.java:744)
"
    ],
    "message": "Authorization failed: user=https://localhost/mgmt/shared/authz/users/otheruser resource=/mgmt/tm/ltm/pool verb=GET uri:http://localhost:8100/mgmt/tm/ltm/pool referrer:192.168.1.15 sender:192.168.1.15",
    "referer": "192.168.1.15",
    "restOperationId": 7895
}It's local authentication. This is BIG-IP 11.6.1 Build 1.0.326 Hotfix HF1 if it matters.&nbsp;What I find interesting is that this output is blank:&nbsp;curl -sk -u 'admin:passwd' -H "Content-Type: application/json" https://192.168.1.110/mgmt/shared/authz/users |python -m json.tool
{
    "generation": 0,
    "items": [],
    "kind": "shared:authz:users:userscollectionstate",
    "lastUpdateMicros": 0,
    "selfLink": "https://localhost/mgmt/shared/authz/users"
}I think I'm missing and misunderstanding something here. Any help would be greatly appreciated!&nbsp;Thanks!&nbsp;-Matt&nbsp;

vijay_e · Answer

If you are looking for user-level granular access to iCR, you need to be in 12.1 code and later. For 11.6, you would need admin access to the box.&nbsp;

danilo_josé_dos · Answer

Hi,
Try this:
curl -sk -u 'admin:passwd' https://192.168.1.110/mgmt/shared/authz/roles/iControl_REST_API_User -X PATCH -H "Content-Type: application/json" -d '{"userReferences":[{"link":";}]}' | python -m json.tool&nbsp;

Forum Discussion

iControlREST access for user other than admin

2 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

The GSLB pool is providing an incorrect IP to end users

iRule causing requests to be duplicated (sometimes)

F5 Networks F5CAB1 Exam - Need Help Regarding Prep

Illegal Metacharacter in Parameter Name in Json Data

Cisco TACACS+ Config on ISE LTM Pair

Related Content

iControlREST Swagger File

Zero Trust Application Access for Federal Agencies

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

Connection list via iControlREST API

iControlREST Auth Token and Transaction Example (Postman)

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS