Forum Discussion
Scott_Hopkins
Nimbostratus
NimbostratusRe: Isolation of privledges
Is it possible to provide a non-admin user with the F5 Management Pack for SCOM, and require the big3d be upgraded manually on the BigIP itself? From a security perspective, this seems like giving SCOM the keys to the castle, even if we have no desire to use the full integration SCOM offers. It also raises some PCI concerns we're still investigating, as it seems that someone with admin access to the SCOM configuration has full access to the BigIP, with access to the ASM config and logs as well.
- Hey Scott,
Yes this is possible. We've set up a few sample User Roles in the Administration -> Security -> User Roles section. If you look at the 3 F5 User Roles, the Big3d Administrator role will be particularly interesting to you. If you look under tasks, it shows the "Authorized for Big3d Update" Task. This task is run when discovery is initiated, which means any user running discovery that does not have access to this Task will not be able to update Big3d. Also, even SCOM Admins still require an admin user name and password for the BigIP in order to perform any major configuration changes to the device (including Big3d). On that note, any credentials entered for the BigIP are cached against the AD user running the task, so if you are the only one with the keys to the castle, it will stay that way as long as no one can log in under your user account.
On another note, if you wish to upgrade the Big3d manually, instructions are listed here on how to do that: Click Here. After that, just make sure the user doesn't have access to the "Authorized for Big3d Update" task and you are set. Let us know if you have any other concerns with this.
Thanks,
Dave
