cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Operator Role for user with only API permission

Alberto_Flores
Nimbostratus
Nimbostratus

Hello.

 

My question is : Is it possible to create an user and granted Operator Role but ONLY allow it to use API calls ?

 

We would like to denied the access to the web interface but without blocking web resources through API for the Operator role.

 

Thanks in advance.

1 ACCEPTED SOLUTION

gersbah
Cirrostratus
Cirrostratus

From what I read and from all my testing, the answer appears to be "no".

 

See https://devcentral.f5.com/s/articles/icontrol-rest-fine-grained-role-based-access-control-30773

 

"The role is important. When the access privileges conflict between the role and the fine grained RBAC, the stricter authorization is chosen. For example, if the RBAC is configured to allow PATCH or POST but the user's role is guest (no alteration allowed), the user won't be able to perform these methods."

 

 

To be honest, I'm very confused about this, because it seems to make the entire concept of fine-grained API access more or less pointless. If the API user can still be used to log in interactively with full access rights according to the user role, why would I even bother to define more granular API rights?

But maybe I'm just missing something. Happy to hear any counterpoints.

View solution in original post

1 REPLY 1

gersbah
Cirrostratus
Cirrostratus

From what I read and from all my testing, the answer appears to be "no".

 

See https://devcentral.f5.com/s/articles/icontrol-rest-fine-grained-role-based-access-control-30773

 

"The role is important. When the access privileges conflict between the role and the fine grained RBAC, the stricter authorization is chosen. For example, if the RBAC is configured to allow PATCH or POST but the user's role is guest (no alteration allowed), the user won't be able to perform these methods."

 

 

To be honest, I'm very confused about this, because it seems to make the entire concept of fine-grained API access more or less pointless. If the API user can still be used to log in interactively with full access rights according to the user role, why would I even bother to define more granular API rights?

But maybe I'm just missing something. Happy to hear any counterpoints.