Forum Discussion

ter9's avatar
ter9
Icon for Nimbostratus rankNimbostratus
Dec 07, 2023
Solved

User roles per partition: are multiple possible?

Hello,

Version: BIGIP-16.1.4.1

We'd like to give two different user roles to a user (certificate manager and application editor) on one partition in BIG-IP, but giving any second role causes an error message about duplicate entries on the partition - see screenshot below

Does anyone know if this is by design or is there some issue here?

Thanks,

Peter

 

 

 

  • Hi Ter,

    Summary of user role considerations

    When managing user roles for BIG-IP® user accounts, it is helpful to understand these system behaviors and restrictions. Some apply to all user accounts, while others apply to remote accounts only.

    All user accounts

    This section summarizes some high-level concepts about configuring access control for all BIG-IP user accounts, whether stored locally on the BIG-IP system or on a remote authentication server:

    • A user account can have only one user role for each administrative partition on the BIG-IP system.
    • If a user has multiple roles on the system, the user's most powerful role is applied on first login.
    • If you have an Administrator role, you can grant universal access to any user, except those that have a role of No Access.
    • A user with the role of Administrator, Resource Administrator, Application Security Administrator, or Auditor always has universal partition access (that is, access to all partitions). For these users, you cannot change this universal access.
    • A user with universal access can have only one role on the system, and the role applies to all partitions. On initial login, the user's current partition is set to Common.
    • During a user's login session, the role for the current partition is continually displayed in the upper left area of each screen of the BIG-IP Configuration utility.
    • If you change a role on a user account while the user is logged into the system through tmsh, the BIG-IP system terminates the user's tmsh session when the user subsequently issues another tmsh command.

      If you try to add another role to a user the previous role will get replaced.

       

      As a BIG-IP® user with an Administrator or User Manager user role, you can assign user roles to other BIG-IP user accounts.

      Specifically, for each BIG-IP user account, you can assign a specific user role to each administrative partition to which you grant the user access.

      In this way, you can control the BIG-IP configuration objects that the user can manage, as well as the types of actions the user can perform on those objects.

      Important: When a local user with multiple roles logs in to the system, the system applies the most powerful of those roles to the user and sets the current partition to the partition associated with that role. This role remains in effect until the user changes the current partition or the user logs off the system.

      If possible you can make  2 users with different logins for serving different purpose 

      1st  Local User for Application editor

      2nd Local user for Certificate manager 

      Hope this Helps

      🙏

       

       

2 Replies

  • Hi Ter,

    Summary of user role considerations

    When managing user roles for BIG-IP® user accounts, it is helpful to understand these system behaviors and restrictions. Some apply to all user accounts, while others apply to remote accounts only.

    All user accounts

    This section summarizes some high-level concepts about configuring access control for all BIG-IP user accounts, whether stored locally on the BIG-IP system or on a remote authentication server:

    • A user account can have only one user role for each administrative partition on the BIG-IP system.
    • If a user has multiple roles on the system, the user's most powerful role is applied on first login.
    • If you have an Administrator role, you can grant universal access to any user, except those that have a role of No Access.
    • A user with the role of Administrator, Resource Administrator, Application Security Administrator, or Auditor always has universal partition access (that is, access to all partitions). For these users, you cannot change this universal access.
    • A user with universal access can have only one role on the system, and the role applies to all partitions. On initial login, the user's current partition is set to Common.
    • During a user's login session, the role for the current partition is continually displayed in the upper left area of each screen of the BIG-IP Configuration utility.
    • If you change a role on a user account while the user is logged into the system through tmsh, the BIG-IP system terminates the user's tmsh session when the user subsequently issues another tmsh command.

      If you try to add another role to a user the previous role will get replaced.

       

      As a BIG-IP® user with an Administrator or User Manager user role, you can assign user roles to other BIG-IP user accounts.

      Specifically, for each BIG-IP user account, you can assign a specific user role to each administrative partition to which you grant the user access.

      In this way, you can control the BIG-IP configuration objects that the user can manage, as well as the types of actions the user can perform on those objects.

      Important: When a local user with multiple roles logs in to the system, the system applies the most powerful of those roles to the user and sets the current partition to the partition associated with that role. This role remains in effect until the user changes the current partition or the user logs off the system.

      If possible you can make  2 users with different logins for serving different purpose 

      1st  Local User for Application editor

      2nd Local user for Certificate manager 

      Hope this Helps

      🙏

       

       

  • ter9's avatar
    ter9
    Icon for Nimbostratus rankNimbostratus

    Thank you for the reply and taking the time to go through the documentation, that is very much appreciated. The idea with two user logins is also a good workaround!