For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mollusk7796's avatar
Mollusk7796
Icon for Nimbostratus rankNimbostratus
May 17, 2023

big-IQ custom role-type for web application firewall

Dear all,

We want to allow our users to review, modify and deploy their web application firewall policy on the big-IQ.
The default roles do not allow for this; because they also allow the users to create and delete policy's.

I think this can be done by creating a custom Role Type, combined with the `Resource Group deployer` and a resource group containing only the WAF policy's they have access too.

I have created this role type:

Which does nearly everything I need, except that i get the following error when deploying:

Deployment does work when I combine the `Web App Security Manager` role with the `resource group deployer`. But then the user is also allowed to create new waf policies.


Does anybody know which permissions I am missing from the role type?

 

application delivery
security

5 Replies

  • Kevin_Davies's avatar
    Kevin_Davies
    Icon for Nacreous rankNacreous
    Jun 20, 2023

    Raise a ticket with F5. They are the only people who will have the knowlege on the limitations of combining permission sets.

  • McKinley's avatar
    McKinley
    Icon for Nimbostratus rankNimbostratus
    Jun 30, 2023


    To create a custom role-type for the Web Application Firewall (WAF) in BIG-IP's BIG-IQ Centralized Management platform, you can follow these general steps:

    Log in to your BIG-IQ Centralized Management platform using administrative credentials.

    Navigate to the "Access" section or the "Security" section, depending on the version of BIG-IQ you are using.

    Locate the section related to roles or user management. In this section, you should find an option to create a new role or role-type.

    Click on the option to create a new role or role-type.

    Provide a name for the custom role-type that represents its purpose, such as "WAF Administrator" or "WAF Manager."

    Define the permissions and access rights for the custom role-type. The specific permissions will depend on your requirements and the level of access you want to grant to WAF-related resources and features.

    Ensure that the custom role-type has appropriate access to WAF-related functionalities, such as creating and managing WAF policies, managing security rules, configuring application profiles, and accessing WAF reporting and analytics.

    Save the custom role-type configuration.

    Once you have created the custom role-type, you can assign it to specific users or groups within your BIG-IQ environment. These users or groups will then have the defined permissions and access rights associated with the custom role-type, allowing them to manage the WAF functionality based on their assigned role.

    It's important to note that the specific steps and options for creating custom role-types may vary depending on the version of BIG-IQ you are using. It's recommended to refer to the official documentation or user guide for your specific version of BIG-IQ for detailed instructions on creating custom role-types and configuring WAF-related permissions and access rights.

  • Mollusk7796's avatar
    Mollusk7796
    Icon for Nimbostratus rankNimbostratus
    Jul 18, 2023

    No not really.
    It was a nice explanation of how to make a custom role, but nothing on what permissions are needed for my requirements.

    ill make a support ticket.