Forum Discussion

safiyet_80777's avatar
Icon for Nimbostratus rankNimbostratus
Mar 29, 2011

user permission




We want to show user interface of f5 bigip to a user,a role or a partition differently. We want to prevent that some users can not look at some datas or be changed some configuration. For example for user "test", we want to disable system->Configuration->local traffic page with a perl script, changing icontrol,etc. Is this possible with ICONTROL? or how we do this?







7 Replies

  • It's possible, but I think differently than you are expecting. Before I go further, are you familiar with creating administrative partitions in the GUI, which allow by object and by role what a user can see/change? It'd be a worthwhile exercise to explore that first. If that doesn't meet your needs, then you're looking at a custom application (web-based or desktop) that will restrict what a user can see based on the options you control through iControl interface/method calls. This application would exist off-box, either on a server or on a desktop. There are some examples in perl linked here: Click Here
  • Thanks Jason,



    Your reply is very helpful for us. we are familiar with partitions, but it does not meet our needs. I look at perl scripts. Must we use a script or do we do this with changing icontrol codes? For example, do we add a new role to usermangement.cs for our specific permissions? and I have an other question. How we disable or enable pages, which method or interface should we use?



    thanks a lot.
  • iControl is just an interface to the BIG-IP to make sysetm and configuration changes. I don't believe adding new roles or customizing existing roles is supported. Only way I'm familiar with to do something like this is to write a script/application that uses iControl and "hides" the features you don't want to give users access to by not including them in your application, or at least restricting them by user.

    thanks a lot. I investigate powershell. I can not decide that which one I should use perl or powershell. But I can not hide the features with powershell. for example how I hide LocalB.Network Map? I looked at from powershell web page but I can not find. Maybe my questions are simple, but I am a new person in F5,i-control,powershell... Sorry for inconvenience.
  • The idea is that you create a custom application using the language or your choice. With that application you only allow users to execute specific operations that you want. In effect, you're replacing the default admin tools like the GUI or the command line. You're not modifying the default admin GUI or CLI behavior on LTM.



  • yourealize me exactly. My main question is how do I replace the default admin tools?






  • You would build a tool which provides only the admin operations you want to allow using iControl calls and then disallow access to the default admin interfaces (the web GUI and command line).