Forum Discussion

Aiyappa_136133's avatar
Aiyappa_136133
Icon for Nimbostratus rankNimbostratus
Jul 27, 2015

User access to limited irules.

I want to ask about limiting user access/configure on f5. At the moment we are planning to create a user with limited access to irules only. But the problem is at the moment all the configuration in irules is located on common partition. Is it possible we create a new user with name “A” as a irule manager and can only config “A” partition? If yes, can you help us how to create a new partition and move the existing irule config to new partition

 

application delivery
BIG-IP Access Policy Manager (APM)
devops
iRules
security
TMOS
TMSH

7 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Jul 27, 2015

    Yes, you can create a new partition called A and create a new user with role iRule Manager and just select this A partition.

     

    As for moving the existing iRule configuration. If you are pre TMOS 11.6 then the only way around this is to delete the iRule and recreate in the new partition or edit the bigip.conf file via SSH. If you've 11.6 then there's a new feature to move objects. See 11.6 release notes and the section "Object move and rename". I've not used this feature myself so I'd test first.

     

    Hope this helps,

     

    N

     

  • Aiyappa_136133's avatar
    Aiyappa_136133
    Icon for Nimbostratus rankNimbostratus
    Jul 28, 2015

    Hi Nathan,

     

    Also this is what my requirement is. Do you have any comments ?.

     

    Assume I create an irule list(located on common par) where will call the datagroup list (located on different partition). Is it possible? If yes, does the syntax also the same? Here is some syntax irule we use when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals userA] } { snatpool snat-userA return elseif { [class match [IP::client_addr] equals userB] } { snatpool snat-userB return } else { snatpool snat-userdefault } }

     

    Where we assume usera and snat-userA will located on partition a userb and snat-userB will located on partition b while snat-userdefault and the irule will located on common partition

     

  • Aiyappa_136133's avatar
    Aiyappa_136133
    Icon for Nimbostratus rankNimbostratus
    Jul 28, 2015

    Hi Nathan,

     

    Also this is what my requirement is. Do you have any comments ?.

     

    Assume I create an irule list(located on common par) where will call the datagroup list (located on different partition). Is it possible? If yes, does the syntax also the same? Here is some syntax irule we use when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals userA] } { snatpool snat-userA return elseif { [class match [IP::client_addr] equals userB] } { snatpool snat-userB return } else { snatpool snat-userdefault } }

     

    Where we assume usera and snat-userA will located on partition a userb and snat-userB will located on partition b while snat-userdefault and the irule will located on common partition

     

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Jul 28, 2015

    From the tmos concepts guide, "an iRule can reference any object, regardless of the partition in which the referenced object resides. For example, an iRule that resides in partition my_app_A can contain a pool statement that specifies a pool residing in partition my_app_B. Neither object is required to reside in Common"

     

    Hope this helps

     

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Jul 28, 2015

    From the tmos concepts guide, "an iRule can reference any object, regardless of the partition in which the referenced object resides. For example, an iRule that resides in partition my_app_A can contain a pool statement that specifies a pool residing in partition my_app_B. Neither object is required to reside in Common"

     

    Hope this helps