Forum Discussion

Troy_Poppe_9390's avatar
Troy_Poppe_9390
Icon for Nimbostratus rankNimbostratus
Mar 28, 2005

Can I create my own Roles?

 

I am in the process of designing a front-end application that will utilize the iControl SOAP interface to achieve it's goal (creating some Rules on the fly).

 

 

I assume that I'll be creating a user specifically to be this applications interface to the BigIP unit. Ideally, I'd like this application to have a VERY limited set of API calls that it is allowed to make.

 

 

After having looked through the SDK documentation (BTW, this documentation is very nice!), I've not seen any indication that I can create a Role of my own, and grant it access to certain API calls.

 

 

Is there a way to do this?

 

 

Thanks.

 

 

Troy Poppe

3 Replies

  • Loc_Pham_101863's avatar
    Loc_Pham_101863
    Historic F5 Account
    Troy,

    You can create additional users of your choice, however, the roles are set, so you can not create additional roles. Per our SDK documentation in Management::UserManagement, the roles are defined as:

      
              enum UserRole  
              {  
                  USER_ROLE_ADMINISTRATOR,  
                  USER_ROLE_TRAFFIC_MANAGER,  
                  USER_ROLE_GUEST  
              };  
      

    So you can create any new user with one of the above roles. An Administrator can do anything on the box. An Operator/Traffic Manager can query any objects, and additionally enable/disable virtual servers/addresses and up/down pool members and node addresses. A Guest can only have read access.

    Loc
  • Troy,

     

     

    First of all, thanks for the compliment on the documentation. What's pretty cool about our code base is that the entire SDK is auto-generated from a set of interface definition files that are the core for our server processing code. We've built our own set of tools that, at development and build time, will validate all aspects of the interfaces (naming conventions, documentation, etc) so that all of our interfaces "look and feel" the same. I can't imagine what it would take to manage a 1800+ method SDK documentation by hand!

     

     

    Now, back to your question. Unfortunately there is no way right now to build custom Roles with special privileges on specific objects. We've built in the following Roles (which I'm sure you are aware of from the Management::UserManagement interface).

     

     

    USER_ROLE_ADMINISTRATOR

     

    The Administrator has full control of all aspects of the iControl interfaces.

     

     

    USER_ROLE_TRAFFIC_MANAGER

     

    The Traffic Manager (or Operator) can do all get/query/find/is methods as well as enable/disable virtual addresses and virtual servers. He/she cal also up/down nodes and pool members.

     

     

    USER_ROLE_GUEST

     

    The Guest role only has read-only access. So they can make calls to query or lookup information but cannot change or modify the configuration in any way.

     

     

    Historically, customers that have had custom role based needs, will build a "front-end" application that does it's own set of authorization allowing the users that it knows about to perform the actions that the application deems them worthy of.

     

     

    We also provide a product called iControl Service Manager which provides alot of the management features but allows more detailed role based configurations.

     

     

    Let us know what things you are working on! We are always on the lookout for a good case study or just references to help us in adding new features to our products in the future.

     

     

    Take care,

     

     

    -Joe
  • Looks like Locph beat me to it. I should have checked before replying. Well, I guess two answers is better than none!

     

     

    -Joe