iControl REST Permissions to enable/disable pool member
I've gone through numerous articles here and cannot find the answer. I'm basing my latest attempts on the iControl REST Fine-Grained Role Based Access Control article. I have created a custom role and added the test user (admyapp) to it: { "description": "Custom REST API Proxy role, added via iControl", "generation": 18, "kind": "shared:authz:roles:rolesworkerstate", "lastUpdateMicros": 1539617772546334, "name": "iControl_myapp_operator", "resources": [ { "resourceMask": "/mgmt/tm/ltm/pool/~myapp~pool-temp-myapp-fxii/members/~Common~node-temp-myapp-My_node:80", "restMethod": "PATCH" }, { "resourceMask": "/mgmt/tm/ltm/pool/~myapp~pool-temp-myapp-fxii/members/*", "restMethod": "PATCH" } ], "selfLink": "https://localhost/mgmt/shared/authz/roles/iControl_myapp_operator", "userReferences": [ { "link": "https://localhost/mgmt/shared/authz/users/admyapp" } ] } Note that I have also tried this with PUT as the "restMethod" with the same results. I want the user to be able to control the pool member enabled/disabled state in the /myapp partition. When I run my (perl) code using the admin ID, it works: { 'partition' => 'Common', 'fqdn' => { 'autopopulate' => 'disabled' }, 'session' => 'user-disabled', 'inheritProfile' => 'enabled', 'ratio' => 1, 'logging' => 'disabled', 'connectionLimit' => 0, 'dynamicRatio' => 1, 'rateLimit' => 'disabled', 'address' => '192.168.110.55', 'state' => 'user-down', 'ephemeral' => 'false', 'kind' => 'tm:ltm:pool:members:membersstate', 'generation' => 9884, 'priorityGroup' => 0, 'fullPath' => '/Common/node-temp-myapp-My_node:80', 'monitor' => 'default', 'name' => 'node-temp-myapp-My_node:80', 'selfLink' => 'https://localhost/mgmt/tm/ltm/pool/~myapp~pool-temp-myapp-fxii/members/~Common~node-temp-myapp-My_node:80?ver=12.1.2' } But when I run it (exact same code) under the admyapp ID it fails: { 'code' => 400, 'apiError' => 3, 'message' => '01070822:3: Access Denied: user (admyapp) does not have modify access to attribute (pool_member_description) of object (pool_member)', 'errorStack' => [] } I'm running BIGIP 12.1.2 and am using Token authentication. In the GUI, this ID also has the Operator role for both the /Common and /myapp partitions. The nodes were created in the /Common partition but the pool is in the /myapp partition. Before anyone asks, here's the section of perl code I use to disable the pool member; since it works as an admin user, I'm sure the problem isn't there. my $URI = "/mgmt/tm/ltm/pool/~myapp~pool-temp-myapp-fxii/members/~Common~node-temp-myapp-My_node:80"; my $json = "{\"state\":\"user-down\", \"session\":\"user-disabled\"}"; $LTMClient->PUT( $URI, $json, {"X-F5-Auth-Token"=>$LTMToken, "Content-Type"=>"application/json"} ); my $disableDecoded = decode_json( $LTMClient->responseContent() ); I'm sure I'm missing something obvious here - help?
Exposing F5 dashboard publicly?
Is it possible to expose F5 dashboard publicly (or at least with really minimal access to F5 Configuration Utility)? I'd like to expose it to machine displaying dashboards on display wall yet I wouldn't like to give it full access to actual F5 Configuration Utility interface. My question is either: How to expose dashboard without requiring authentication / requiring different authentication than F5 Configuration Utility or: Is there any lower permissions level for account in F5 than Guest that allows dashboard access or can this role permissions be even reduced to access only selected statistics required for dashboard operation? Another related topic would be: is it possible to expose dashboard on other vlan than management? For example as conventional Virtual Sever in some other network with destination pointing to F5 management IP?
iControl and Enterprise Manager Permissions
I am using the latest version of the iControl assembly (11.2) and (11.4.1) and ran into a permission issue trying to connect to our local Enterprise Manager. Here is the code with the sensitive information removed: string enterpriseManager = "some server"; int port = 443; string userName = "some user name"; string password = "some password"; Interfaces ic = new Interfaces(); var test = ic.initialize(enterpriseManager, port, userName, password); string[] list = ic.ManagementEM.get_devices(); foreach (string device in list) { Console.WriteLine(device); } Console.ReadKey(); the code gets to line "ic.ManagementEM.get_devices()" and fails with the following message: SoapHeaderException: Exception caught in Management::urn:iControl:Management/EM::get_devices() Exception: Common::OperationFailed primary_error_code : 17238050 (0x01070822) secondary_error_code : 0 error_string : 01070822:3: Access Denied: user (Svcdiscoverysrvcs) does not have access to action (change control administration) Since we want to limit the permissions of the account that accesses enterprise manager, what is the lowest level of permissions that is needed in order to read the devices data in enterprise manager using the iControl assembly? Any assistance would be greatly appreciated.
