Hi Claire,
I haven't tested this, but you might be able to do something like this using the admin GUI's role based administration. You'd need to be running 9.4.0+:
BIG-IP® Network and System Management Guide: 4 - Configuring Administrative Partitions
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip9_4mgmt/BIG_IP_9_4_nsm_guide-05-1.html
And specifically this table mentions:
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip9_4mgmt/BIG_IP_9_4_nsm_guide-05-1.htmlwp1034086
An iRule can reference any object, regardless of the partition in which the referenced object resides. For example, an iRule that resides in partition A can contain a pool statement that specifies a pool residing in partition B.
I think you could create a new admin partition, create your limited access user account(s), and then create the datagroup in the new partition. I think the iRule and VIP which reference the datagroup could be in any partition. The user accounts would only be able to modify the datagroup that exists in their partition.
Else, this is where the iControl API could come in handy. You could create a web (or standalone) app which makes iControl calls to the BIG-IP to modify specific datagroups. You could validate the user input and enforce your business logic within the app. For more information, you can check this iControl page: (
Click here)
If you do arrive at a solution, can you reply so others will have more info on this?
Thanks,
Aaron