Forum Discussion
Hi,
Not sure if this is a full/useful answer, but here is my two cents; Instead of letting them change the iRule, how about you put that variable in a DataGroup and let them change that instead? Purely from a risk perspective, that should reduce the chance of anyone breaking anything in the iRule by accident. You can then do a "class search" lookup to check the value of the variable.
Possibly better still, you can put the variable in an external data group which may be accessed by a more generic function. You can then possibly also give those users more restrictive access to the system, though it will likely still be too much access.
Unfortunately, if you want to have their access locked down to only specific objects in specific roles, you indeed would have to go to BigIQ.
AlexBCT,
Could the datagroup be placed in it's own Partition (/Dev-Access) and the iRule reference the datagroup there? eg /Dev-Access/maintenance_datagroup. My understanding is that iRules can access resources in other partition, so this should work.
The dev team could then just be given permissions to manage the /Dev-Access partition and the iRule attached to the live server could be safely left in /Common (or another partition).
Rob