Does the F5 maybe have a way to allow all regular admin actions to be performed except exporting certificates ?

Question

Hi experts &nbsp;I have a question.&nbsp;If certificates (keys are exported in CLI or in the GUI, what options do we have to log these actions or prevent these actions ?Does the F5 maybe have a way to allow all regular admin actions to be performed except exporting certificates (keys) and give this right to a certain special account.&nbsp;Thank you !

alexbct · Answer

Hi Abdy, &nbsp;I don't think there's such a role on the BigIP's. As administrator you have full access to everything - there is no way to specifically exclude certain features. See here for the full overview of user roles; https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-systems-user-account-administration/user-roles.html&nbsp;There is a role that ONLY has access to the certificate management though; Certificate Manager, though I suspect that one on its own won't be of much use for your use case. &nbsp;Have you got any BigIQ's? (F5 centralized management platform) Its RBAC system is much more granular than the BigIP's and you can configure user and group access even on a per-object basis and may give you the granularity you are looking for. &nbsp;Hope this helps.

steve11 · Answer

Hello Alex,&nbsp;Very clear answer, thanks a lot for your feedback.&nbsp;Have a good day !

Forum Discussion

Does the F5 maybe have a way to allow all regular admin actions to be performed except exporting certificates ?

2 Replies

Recent Discussions

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Related Content

Re: Management Certificate

Automate Let's Encrypt Certificates on BIG-IP

Insights of F5 Distributed Cloud WAAP Events Export, New Operators and Trends features

SSL certificate export greyed out !

Automating ACMEv2 Certificate Management on BIG-IP