iREST RBAC Questions

Salutations Good People!

 

I am attempting to configure RBAC Access on my Lab instance, as to not break Production (despite how fun that is), and i am running into some odd issues that i was hoping to get some feedback on (in order to tell me what i am doing wrong).

 

I set up RBAC following this guide, modifying things as needed for my environment: https://devcentral.f5.com/s/articles/icontrol-rest-fine-grained-role-based-access-control-30773

 

We are running v13.1.0.6.

 

We are wanting to use the RBAC control to allow for a limited user to be able to swap the active node in a specific pool in order to change the active server for Blue Green Application Deployments.

 

As our F5 is Active Directory integrated, we have set up a new user in AD and added a AD Group to the Remote Role Groups in the F5 configuration. This group is set up with the assigned role of Operator.

 

I was able to configure a working setup for the RBAC user but i am getting intermittent Access Denied messages when attempting to enable or disable a node in a pool.

 

I created a Custom Resource Group and a Custom Role for this using the Steps in the guide linked above. I made sure to grant the resource group PATCH, PUT, and GET http rest methods.

 

How can we avoid the Access Denied messages? From what i was reading, this is due to the account not being an administrator on the F5, which we dont want.

 

The other thing that i have questions on is the Token Based Authentication. The Default time limit is 20 minutes for the life of the Token, and i have found how to extend that. The question i have is this: 1. So far in order to get the token i have to pass the admin credentials in order to get the token for the service account or local non admin account i am trying to use. Is there a way to get the token or use basic Authentication directly as either a non admin local user, or as the service account from AD?

 

Thank you for taking the time to look at this and read this wall of text.