Forum Discussion

gaspol33_275602's avatar
gaspol33_275602
Icon for Nimbostratus rankNimbostratus
Jul 30, 2016

User Roles in BIG-IQ

Is there a way to create custom role types in BIG-IQ? For example, I'd like to create a role which allows a user to manage pools, virtual servers, and SSL certificates in BIG-IP. Can this be done? From what I can tell, you can only create 3 new role types in BIG-IQ: Device Viewer, Virtual Server Operator, and Pool Member Operator.

 

  • zipzip_65424's avatar
    zipzip_65424
    Historic F5 Account

    there seems to be more user roles under the System management> User management> Users> ADC Manager, ADC Viewer, ADC Editor which should cover your requirement.

     

  • Currently, you are correct on the roles you can create. It is also important to note that you can apply multiple roles to a single user or user group. We do not currently have a role specific to managing certificates, but we do have roles that cover virtual server enable/disable, as well as pool member enable/disable.

     

    Can you describe the roles you are looking for in detail, including what you expect that user to be able to do/see?

     

    We are in the process of scoping additional changes to the RBAC in BIG-IQ and the more customer details/stories we can include the better.

     

    • gaspol33_275602's avatar
      gaspol33_275602
      Icon for Nimbostratus rankNimbostratus

      Thanks for your response, Kyle.

       

      I work for the central IT department of a university and would like to offer load balancing services to the various faculties and departments around campus. Using LTM, we'd like to make it self service to minimize the number of tickets the departments will need to submit to do day to day operational tasks.

       

      For the most part, we can segregate user access by partitions. So dept A can only access partition A, and so forth. For these users, we'd like them to be able to: - add/enable/disable nodes, pools, and virtual servers - create/update iRules - manage SSL certificates (import certs, replace certs that have expired, etc) - other day to day operation tasks

       

      Since we're using partitions, I think we can do most of the above just by using Big-IPs built in RBAC except for SSL cert management. I think this requires a separate user account to be created just to perform this task so it would be nice if Big-IQ can somehow address this.

       

      We also have one "shared" partition where various departments will be hosting their services. So we'll need to somehow limit each department's access to just their respective nodes, pools, and virtual servers within this partition. - add/enable/disable their own nodes, pools, and virtual servers (looks like the Virtual Server and Pool Member operator roles can satisfy this requirement) - create/update iRules but just apply them to their own virtual servers - manage their own SSL certificates

       

      Hope this helps with future development. Please let me know if you need more info or need me to expand further.

       

      Thanks, Randell

       

    • M_G1's avatar
      M_G1
      Icon for Nimbostratus rankNimbostratus

      On top of SSL cert management, being able to have a role that lets a user only edit a single external data group file would be great.

       

      We use this use for our site maintenance mode control file. Works great but requires one of our network admins to make the change as our developers do not have access to the F5. Ideally, they would be able to make the changes themselves without being exposed to anything else in the interface.

       

  • Kyle_Oliver_519's avatar
    Kyle_Oliver_519
    Historic F5 Account

    Currently, you are correct on the roles you can create. It is also important to note that you can apply multiple roles to a single user or user group. We do not currently have a role specific to managing certificates, but we do have roles that cover virtual server enable/disable, as well as pool member enable/disable.

     

    Can you describe the roles you are looking for in detail, including what you expect that user to be able to do/see?

     

    We are in the process of scoping additional changes to the RBAC in BIG-IQ and the more customer details/stories we can include the better.

     

    • gaspol33_275602's avatar
      gaspol33_275602
      Icon for Nimbostratus rankNimbostratus

      Thanks for your response, Kyle.

       

      I work for the central IT department of a university and would like to offer load balancing services to the various faculties and departments around campus. Using LTM, we'd like to make it self service to minimize the number of tickets the departments will need to submit to do day to day operational tasks.

       

      For the most part, we can segregate user access by partitions. So dept A can only access partition A, and so forth. For these users, we'd like them to be able to: - add/enable/disable nodes, pools, and virtual servers - create/update iRules - manage SSL certificates (import certs, replace certs that have expired, etc) - other day to day operation tasks

       

      Since we're using partitions, I think we can do most of the above just by using Big-IPs built in RBAC except for SSL cert management. I think this requires a separate user account to be created just to perform this task so it would be nice if Big-IQ can somehow address this.

       

      We also have one "shared" partition where various departments will be hosting their services. So we'll need to somehow limit each department's access to just their respective nodes, pools, and virtual servers within this partition. - add/enable/disable their own nodes, pools, and virtual servers (looks like the Virtual Server and Pool Member operator roles can satisfy this requirement) - create/update iRules but just apply them to their own virtual servers - manage their own SSL certificates

       

      Hope this helps with future development. Please let me know if you need more info or need me to expand further.

       

      Thanks, Randell

       

    • M_G1's avatar
      M_G1
      Icon for Nimbostratus rankNimbostratus

      On top of SSL cert management, being able to have a role that lets a user only edit a single external data group file would be great.

       

      We use this use for our site maintenance mode control file. Works great but requires one of our network admins to make the change as our developers do not have access to the F5. Ideally, they would be able to make the changes themselves without being exposed to anything else in the interface.

       

  • Although this thread is already some years old, I think my question best matches here, because it's a general design/concept question for user roles.

    We are currently using BIG-IQ with version 7.1.0 and I'm looking forward for a concept to fullfill the following requirements:

    • We have several different BIG-IPs (30+), which are all managed via BIG-IQ
    • Avoid the use of partitions on each BIG-IP for the users to view only "their" configuration/services
    • Use BIG-IQ as a centralized device, where different users can login with their personal account and see only "their" configuration/services across all BIG-IPs
    • Update assigned Resources automatically once a new configuration is done on a BIG-IP. This can also be done with appropriate API-call against BIG-IQ.

    My current idea is:

    • Create a unique Resource Group for each user and assign "their" configuration/services across all BIG-IPs
    • Create a unique Role for each user, assign the Resource Group to it and bind it to the corresponding user

     

    Is this a good idea? Is this possible at all? Or are there maybe any other options/configurations possible for above mentioned concept?

    Thank you for any shared ideas!

     

    Regards Stefan :)

  • Hi again,

    I tried now to create custom access to the BIG-IQ following this article. I created:

    • Role Type: Service->LTM, Object Type->Virtual Servers, only Read Access
    • Resource Group: Select 14 Virtual Servers from a single BIG-IP cluster with previous created Role Type
    • Custom Service Role: assign all previous created objects to a test-user

    -> If I check the "View Permissions" button, everythings looks fine, I can see only the 14 VS and its assigned resources with only Read permissions.

    -> But when I login to BIG-IQ with the test-user, I still can see ALL configurations across ALL BIG-IP clusters.

     

    Any idea what's going wrong here or how I can further troubleshoot this? Is this somehow related to inherit TACACS groups permissions (admin_group & operator_group)? If so, how can I fix this?

     

    :EDIT: ok, it's conflicting with the user groups and the "Authorization Attributes" as long as the permissions for these groups are not matching with the custom ones. But this is good to know, because then we can manage permissions via appropriate attributes from the TACACS server.

     

    Thank you!

     

    Regards Stefan :)

  • I have one more question regarding the "Resource Groups" and the "Any Instance" option. Is it somehow possible to combine this option on a more granular basis, e.g. I have Resource Groups per BIG-IP cluster and want to include all virtual servers including future ones only for that specific BIG-IP cluster. In the WebGUI this option is only available for ALL virtual servers across ALL discovered BIG-IP devices.

    Thank you!

    Regards Stefan 🙂