F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Dietmar_Moltner's avatar
Dietmar_Moltner
Icon for Nimbostratus rankNimbostratus
Nov 20, 2014

Permissions for iControl REST

Hi all,

 

we are currently doing some tests with iControl REST on 11.5.1. So far it looks very good, but it looks like that only users in role Administrator can use the REST interface, users in role Operator are for example not able to access the API on context /mgmt/tm/ltm/pool/.

 

Are we missing anything or are only Administrators able to access the REST API?

 

Thank you in advance for your support

 

iControlREST
icrd

7 Replies

  • IsaacUribe_1916's avatar
    IsaacUribe_1916
    Icon for Nimbostratus rankNimbostratus
    Mar 24, 2016

    On 11.6 I was able to do this by creating an "audit" account and then assigning permissions to the REsT API with:

     

    curl -k -u admin -H "Content-Type: application/json" -X PATCH https://<353417d8-11ab-45f3-9b2b-a8a3284b985a>/mgmt/shared/authz/roles/iControl_REST_API_User -d '{ "userReferences":[{"link":"<2cd6a666-2166-499a-b7f4-e65d77a45cd7 link filter-list-container-d03f4d3d-e890-462a-9ae1-49e301f7c2c6 clear-filters-d03f4d3d-e890-462a-9ae1-49e301f7c2c6 53576987-3cae-4d15-97dc-3d6a03568049>"}] }'

     

    It is documented on the "icontrol-rest-user-11-6-0_15.pdf" manual on the "About iControl and RBAC for user accounts" section.

     

  • Dietmar_Moltner's avatar
    Dietmar_Moltner
    Icon for Nimbostratus rankNimbostratus
    Nov 20, 2014

    Thank you for the response, will do that. One more idea would be to create a policy-secured virtual with AD groups to permit access to specific REST calls based on group membership. Is it possible to create a pool on the same appliance to point to the local iControl REST endpoint?

     

    Thx

     

    • Riley_Schuit_82's avatar
      Riley_Schuit_82
      Historic F5 Account
      Nov 20, 2014
      ID 471136 will probably be linked just for being able to use remote auth with iControl REST. You should get an error if you configure a pool member for an self IP (error: "The requested pool member is already in use as a self IP address (x.x.x.x)") but I see there is no error for pointing to the mgmt address (I wouldn't do it)
  • Riley_Schuit_82's avatar
    Riley_Schuit_82
    Historic F5 Account
    Nov 20, 2014

    Create a support case. Note RFE ID 476361 is probably what you are looking for.

     

  • shaggy's avatar
    shaggy
    Icon for Nimbostratus rankNimbostratus
    Nov 20, 2014

    open a support case to request the feature. the more feature requests, the higher the priority to add the feature to a future release

     

  • mimlo_61970's avatar
    mimlo_61970
    Icon for Cumulonimbus rankCumulonimbus
    Nov 20, 2014

    This has been asked a few times, others have always stated that the administrator role is required for iControl rest.