rest calls not allowed by other-than-admin

It is possible to use a non administrator user to access iControl REST. It does require a bit of setting up to get it working.

K84925527: Overview of iControl permissions

First you must create your user,

(tmos) create auth user notadmin partition-access add { all-partitions { role guest } } shell tmsh password notadminpw

Next you must find the selflink value for the user you have created (assuming your admin ID is 'admin' and password is 'secret'.)

curl -s -k -u admin:secret https://localhost/mgmt/shared/authz/users | jq .

you will see the output which will appear similar to this below..

{
  "items": [
.....
    {
      "name": "notadmin",
      "displayName": "notadmin",
      "encryptedPassword": "$6$Randomized_Characters_Of_Password",
      "generation": 1,
      "lastUpdateMicros": 1519056227960605,
      "kind": "shared:authz:users:usersworkerstate",
      "selfLink": "https://localhost/mgmt/shared/authz/users/notadmin"
    },
.......
  ],
  "generation": 11,
  "kind": "shared:authz:users:userscollectionstate",
  "lastUpdateMicros": 1519056227962971,
  "selfLink": "https://localhost/mgmt/shared/authz/users"
}

Locate the value for 'selfLink' for the user notadmin, here is is shown as

The next command will alter that userID so that it can be used for iControl REST, ensure that you set the 'link' value to be the same as the 'selfLink' value extracted in the step above.

 curl -s -k -u admin:secret --request PATCH --data '{"userReferences":[{"link":"https://localhost/mgmt/shared/authz/users/notadmin"}]}'     https://localhost/mgmt/shared/authz/roles/iControl_REST_API_User | jq .

This will produce a lot of output.

After this command you can then issue iControl REST command using your non-admin user id 'notadmin'

 curl -s -k -u notadmin:notadminpw  https://localhost/mgmt/tm/ltm/virtual | jq .

I hope this is helpful - obviously you want to create a user with Resource Administrator role.