Restricting User Access per Route Domain
Hi All, I have done some reading and see you can restrict user access per partition but we have an established LTM with Route Domains all in the 1 partition and now have been asked if we can restrict certain users access to certain Route Domains. Has anyone had to do something similar to this before? Many Thanks Darren
Manager user cannot create Server
Hello, We have just deployed a BigIP DNS platform, which will be managed by different groups of people with different privileges. The 'Administrators' group of users should take control all the features, and they will be able to execute all commands and actions. The 'OperationsManager' group users will take charge of most usual actions, like create new services, WideIP's, Pools and so on. So I have created those 'Remote Role Groups', because we use a TACACS+ Server to authenticate users, and associate different roles (Administrator and Manager) to these groups. I have observed that 'Manager' users can create WideIPs, Pools, iRules, Monitors.... but they cannot create/delete/modify Servers, nor VirtualServers. Is it a bug? Do we need to assign this users to a different role? Which one? Thanks for your support.
Operator access via Enterprise Manager broken after switch from local roles to Radius remote-roles
Hi, We delegate access to serverteams, to enable/disable poolmembers via an Enterprise Manager. The user accounts on the Big-IP's and EM are authenticated via Radius, but the role-definitions were all done locally. Because we are nearing 200+ user accounts, it was time to switch to remote-roles. After the change it wasn't possible anymore to manage pools & poolmembers via the EM. Only when logged in as admin. The EM documentation also indicated that the EM relies on local accounts to check the user privileges. I don't like the idea that we are stuck managing 200+ local accounts on dozens of big-ip's because of an EM limitation. I hope someone knows a workaround to give at least "operator" privileges to all EM users? Note that we can't use technical accounts because of compliance issues (financial institution). With Kind regards, Joeri
Role based access of specific Unix like commands?
Hello Folks, Is there a way in BIG-IP where we can configure a user with specific command privileges rather than allowing all? For eg. the user should be able to execute "cat" command in order to view bigip configuration from CLI, that user should not have access to TMSH to modify anything in BIG-IP configuration. I know its the limitation of OS and not BIGIP, however I was wondering if there is any work around to achieve this. Cheers! Darshan