Role to delegate APM administration

Question

Hi, we've implemented Kerberos authentication using APM, but now that is all up and running we'd like to delegate the administration of the Visual Policy Editor and all the APM related objects (Kerberos AAA, Active Directory AAA...) to the security folks. I know that there's a "Application Security Policy Editor" role that seems to apply only to ASM. I'd need something like the "APM administrator role". Is there something like that? can I somehow delegate the APM administration?&nbsp;
I'm afraid that maybe I can't delegate it, so I've thought in create a separate guest in my vCMP system so I can license the APM on that new guest. In that way I'd have my LTM guest and my APM guest, and I could give the administrator account in the APM guest to the security folks without need to handle with the "user roles" problem. But I don't know if I can have LTM and APM in different systems, because I've worked only in a system where LTM and APM were licensed together, so I can reference the APM policies from the LTM Virtual Servers as a local object. If I have the APM in a separate guest from the LTM, how I'd reference the policy objects? I have search, with no luck, any deployment guide for a "one LTM with several APM" and I hav found nothing... any references?&nbsp;
Thanks!&nbsp;

gianrico · Answer

Why do not you create a partition and put the apm objects in that partition?
Then assign APM administrator access to that partition.&nbsp;
Just a thought&nbsp;

angel_lopez_116 · Answer

I'm not used to work with partitions so that's pretty new as a feature to me. So if I follow you, I could create a new partition (I'm only working with the default Common partition right now) and I could assign every APM object that I create to that partition. But, when you say "APM administrator access"... what do you mean? becasuse the administrator role can't be assigned to a single partition, right?

gianrico_d_ang1 · Answer

I am sorry the answer was confusing.
What I meant was: you can assign access to that partition to the apm administrator.  
I think the role to assign to the apm administrator is the Manager role.

gianrico

walter_kacynski · Answer

The Manager role will work for most APM stuff.  However, if you use Hosted Content, this is device wide and a user must be granted the Administrator role.&nbsp;
Depending on your version, anything less than 11.6, the apm logs are easier viewed and queried directly from the shell terminal.  So, you admins with have limited troubleshooting capabilities unless you forward your logs to an external server.&nbsp;
Under 11.6, they added the access log to System -&gt; Logs&nbsp;

Forum Discussion

Role to delegate APM administration

4 Replies

Bram - January 2026 Featured Member

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Single LTM with multiple GTM domains

Question about adding VEs to existing physical appliance device group without ASM licenses

2026 301a exam

How can I measure Advanced WAF (ASM) throughput on a running BIG-IP VE (per VIP / per policy)?

What is the best practice for migrating from iseries to rseries?

Related Content

Ansible - Upload Certificates requires Administrator Role?

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

F5 Certified Administrator NGINX certification now available!

Certified Kubernetes Administrator - Study Group

Help F5 Transform the BIG-IP Administrator Certification

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS