Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 

big-IQ custom role-type for web application firewall


Dear all,

We want to allow our users to review, modify and deploy their web application firewall policy on the big-IQ.
The default roles do not allow for this; because they also allow the users to create and delete policy's.

I think this can be done by creating a custom Role Type, combined with the `Resource Group deployer` and a resource group containing only the WAF policy's they have access too.

I have created this role type:


Which does nearly everything I need, except that i get the following error when deploying:


Deployment does work when I combine the `Web App Security Manager` role with the `resource group deployer`. But then the user is also allowed to create new waf policies.

Does anybody know which permissions I am missing from the role type?



Raise a ticket with F5. They are the only people who will have the knowlege on the limitations of combining permission sets.


To create a custom role-type for the Web Application Firewall (WAF) in BIG-IP's BIG-IQ Centralized Management platform, you can follow these general steps:

Log in to your BIG-IQ Centralized Management platform using administrative credentials.

Navigate to the "Access" section or the "Security" section, depending on the version of BIG-IQ you are using.

Locate the section related to roles or user management. In this section, you should find an option to create a new role or role-type.

Click on the option to create a new role or role-type.

Provide a name for the custom role-type that represents its purpose, such as "WAF Administrator" or "WAF Manager."

Define the permissions and access rights for the custom role-type. The specific permissions will depend on your requirements and the level of access you want to grant to WAF-related resources and features.

Ensure that the custom role-type has appropriate access to WAF-related functionalities, such as creating and managing WAF policies, managing security rules, configuring application profiles, and accessing WAF reporting and analytics.

Save the custom role-type configuration.

Once you have created the custom role-type, you can assign it to specific users or groups within your BIG-IQ environment. These users or groups will then have the defined permissions and access rights associated with the custom role-type, allowing them to manage the WAF functionality based on their assigned role.

It's important to note that the specific steps and options for creating custom role-types may vary depending on the version of BIG-IQ you are using. It's recommended to refer to the official documentation or user guide for your specific version of BIG-IQ for detailed instructions on creating custom role-types and configuring WAF-related permissions and access rights.

Community Manager
Community Manager

@Mollusk7796  - are you still having difficulties, or were you able to resolve it with either suggestion above or another way?


No not really.
It was a nice explanation of how to make a custom role, but nothing on what permissions are needed for my requirements.

ill make a support ticket.

Sorry the community couldn't help you in this case, @Mollusk7796. Did you get the answer you needed from F5 Support?