iControl REST Fine-Grained Role Based Access Control

Introduction F5's role based access control (RBAC) mechanism allows a BIG-IP administrator to assign appropriate access privileges to the users (see Manual Chapter: User Roles). For example, with ...
Updated Jun 06, 2023
Version 2.0
BIG-IP
devops
iControlREST
Super-NetOps
StephanManthey's avatar
StephanManthey
Icon for MVP rankMVP
Jul 10, 2018

Hi Steve, it worked as usual under v12.1.3.4. No need to touch the iControl_REST_API_User. It worked as well under v13.1.0.3 in my environment after modifying the iControl_REST_API_User role.

After creating the new user via REST initially it looked as follows: 

{
    "generation": 5,
    "kind": "shared:authz:roles:rolesworkerstate",
    "lastUpdateMicros": 1531251954487702,
    "name": "iControl_REST_API_User",
    "resourceGroupReferences": [
        {
            "link": "https://localhost/mgmt/shared/authz/resource-groups/b7592f19-027c-3272-b83d-9178bb9d9f0e"
        }
    ],
    "selfLink": "https://localhost/mgmt/shared/authz/roles/iControl_REST_API_User",
    "userReferences": [
        {
            "link": "https://localhost/mgmt/shared/authz/users/admin"
        },
        {
            "link": "https://localhost/mgmt/shared/authz/users/f5hubblelcdadmin"
        },
        {
            "link": "https://localhost/mgmt/shared/authz/users/remoterestapi"
        }
    ]
}

It was changed into the following (no need to worry about "kind", "generation" and "lastUpdateMicros" as they will be restored; make sure to create a proper JSON body; no trailing comma ...): 

{
    "name": "iControl_REST_API_User",
    "resourceGroupReferences": [
        {
            "link": "https://localhost/mgmt/shared/authz/resource-groups/b7592f19-027c-3272-b83d-9178bb9d9f0e"
        }
    ],
    "selfLink": "https://localhost/mgmt/shared/authz/roles/iControl_REST_API_User",
    "userReferences": [
        {
            "link": "https://localhost/mgmt/shared/authz/users/admin"
        },
        {
            "link": "https://localhost/mgmt/shared/authz/users/f5hubblelcdadmin"
        }
    ]
}

It was imported in the way described above and the RBAC worked properly (limited priviledges).

One more thing to note (which I cannot explain). After modifying the role, a lot of new entries like the following showed up in the context of the "userReferences" collection: 
{
    "link": "https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/user-groups/2ef6ed6f-136c-3a41-9167-76a0b68fb64d"
},

Cheers, Stephan