iControl REST Fine-Grained Role Based Access Control
Introduction
F5's role based access control (RBAC) mechanism allows a BIG-IP administrator to assign appropriate access privileges to the users (see Manual Chapter: User Roles). For example, with ...
Updated Jun 06, 2023
Version 2.0Satoshi_Toyosa1
Ret. Employee
Joined May 15, 2019
Jul 10, 2018
Hi Steve, it worked as usual under v12.1.3.4. No need to touch the iControl_REST_API_User. It worked as well under v13.1.0.3 in my environment after modifying the iControl_REST_API_User role.
After creating the new user via REST initially it looked as follows:
{
"generation": 5,
"kind": "shared:authz:roles:rolesworkerstate",
"lastUpdateMicros": 1531251954487702,
"name": "iControl_REST_API_User",
"resourceGroupReferences": [
{
"link": "https://localhost/mgmt/shared/authz/resource-groups/b7592f19-027c-3272-b83d-9178bb9d9f0e"
}
],
"selfLink": "https://localhost/mgmt/shared/authz/roles/iControl_REST_API_User",
"userReferences": [
{
"link": "https://localhost/mgmt/shared/authz/users/admin"
},
{
"link": "https://localhost/mgmt/shared/authz/users/f5hubblelcdadmin"
},
{
"link": "https://localhost/mgmt/shared/authz/users/remoterestapi"
}
]
}
It was changed into the following (no need to worry about "kind", "generation" and "lastUpdateMicros" as they will be restored; make sure to create a proper JSON body; no trailing comma ...):
{
"name": "iControl_REST_API_User",
"resourceGroupReferences": [
{
"link": "https://localhost/mgmt/shared/authz/resource-groups/b7592f19-027c-3272-b83d-9178bb9d9f0e"
}
],
"selfLink": "https://localhost/mgmt/shared/authz/roles/iControl_REST_API_User",
"userReferences": [
{
"link": "https://localhost/mgmt/shared/authz/users/admin"
},
{
"link": "https://localhost/mgmt/shared/authz/users/f5hubblelcdadmin"
}
]
}
It was imported in the way described above and the RBAC worked properly (limited priviledges).
One more thing to note (which I cannot explain). After modifying the role, a lot of new entries like the following showed up in the context of the "userReferences" collection:{
"link": "https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/user-groups/2ef6ed6f-136c-3a41-9167-76a0b68fb64d"
},
Cheers, Stephan