cancel
Showing results for 
Search instead for 
Did you mean: 

Does the F5 maybe have a way to allow all regular admin actions to be performed except exporting certificates ?

Abdy
Nimbostratus
Nimbostratus

Hi experts

 

I have a question.

 

If certificates (keys are exported in CLI or in the GUI, what options do we have to log these actions or prevent these actions ?

Does the F5 maybe have a way to allow all regular admin actions to be performed except exporting certificates (keys) and give this right to a certain special account.

 

Thank you !

2 REPLIES 2

AlexBCT
MVP
MVP

Hi Abdy,

 

I don't think there's such a role on the BigIP's. As administrator you have full access to everything - there is no way to specifically exclude certain features. See here for the full overview of user roles; https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-systems-user-account-administration/user-roles.html

 

There is a role that ONLY has access to the certificate management though; Certificate Manager, though I suspect that one on its own won't be of much use for your use case.

 

Have you got any BigIQ's? (F5 centralized management platform) Its RBAC system is much more granular than the BigIP's and you can configure user and group access even on a per-object basis and may give you the granularity you are looking for.

 

Hope this helps.

Abdy
Nimbostratus
Nimbostratus

Hello Alex,

 

Very clear answer, thanks a lot for your feedback.

 

Have a good day !