Forum Discussion
NimbostratusUser and Partition Access Query
Hi All,
Is there a way, using TACACS and remote roles that I can assign access to a user to two or more partitions, but not all of them?
Scenario is: I have a TACACS server returning the attributes that I have assigned to remote roles. I also have two partitions that are application specific (ie Exchange in partition A and Sharepoint in partition B). A specific group of users who will be assigned the 'application editor' role need access to both partition A and partition B (they administer both environments). There is also other partitions on the LTM that I do not want to give them access to.
Is there a way I can provide 'application editor' access to these users for those two partitions only - not all partitions??
At the moment, it seems the attribute returned that is lower in the 'line order' field in the remote role groups is the partition they get access to.
Any help is appreciated, thanks for your time.
6 Replies
kunjanMay be want to check out the feature in 11.6 where partition level access can be granted.
Brad_Mc_115066Hi there, Thanks for the link, I've read through it but it still doesn't seem to address what I'm after. Can a user authenticate to a TACACS server and be given administrative functions to two or more partitions only. Not all partitions? I can ensure that two or more attributes get returned from TACACS when the user authenticates, however it seems that BIG-IP can only give access to one partition (the first in the line order), and not the 2nd partition. I'm just trying to find if the user can get access to both partitions. Does that help clear up what I'm after? Thanks again for your reply!
- kunjan_118660
Cumulonimbus
May be want to check out the feature in 11.6 where partition level access can be granted.
- Brad_Mc_115066Hi there, Thanks for the link, I've read through it but it still doesn't seem to address what I'm after. Can a user authenticate to a TACACS server and be given administrative functions to two or more partitions only. Not all partitions? I can ensure that two or more attributes get returned from TACACS when the user authenticates, however it seems that BIG-IP can only give access to one partition (the first in the line order), and not the 2nd partition. I'm just trying to find if the user can get access to both partitions. Does that help clear up what I'm after? Thanks again for your reply!
R_MarcI haven't tested this (I don't use partitions) but RBAC on BigIPs is pretty limited in my experience. I think it just matches on it's first find, in order and the partition access is defined in the role (all or specific). With Radius you could probably deal with your requirement, but with LDAP and TACACS I don't think so. To deal with in in radius, I think you could use a realm, where the user logs in to a realm to identify which partition they intend to connect too. They wouldn't be able to switch between, in session.
This is all speculation on my part, however.
- Brad_Mc_115066
That is handy. I'll look into radius. Thanks for the hint. I've also raised a request with F5 directly to see if the support knows how to do it.
Thanks again.
Brad
