Manual Chapter :
Provide User Access to Applications
Applies To:
Show VersionsBIG-IQ Centralized Management
- 8.3.0, 8.2.0, 8.1.0, 8.0.0, 7.1.0, 7.0.0
Provide User Access to Applications
Overview: Providing a user access to a SharePoint application hosted on BIG-IP
This use case scenario walks you through the tasks you'll need to provide a user access to a single application, SharePoint, that is hosted on your managed BIG-IP device.
The required tasks are:
- Role Type
- Create a custom role type associated with one or more services. Then select the type of resources (object types) this role needs to do their job, and then specify how you want to allow this role type to interact with those objects. For this example:
- Select theLocal Traffic (LTM)service.
- Create a role type namedSharePoint Management.
- Select theVirtual Server: Local Trafficand add it to the selected resources.
- Provide permissions for this role type to read, add, edit, and delete those objects.
- Resource Group
- Create a custom resource group that contains the specific resources you want to provide access to. For this example:
- Create a resource group,SharePoint Server.
- Select theSharePoint Managementrole type to narrow the service and object types displayed to only those this role type has permissions to.
- Select theLocal Traffic (LTM)service.
- Select theVirtual Server: Local Trafficservice
- Locate the virtual server that is hosting your SharePoint application, and add it to the selected resources.
- Role
- Create a custom role associated with the custom role type, and assign the custom resource group to that role. For this example:
- Create a custom role calledSharePoint Manager.
- Associate theSharePoint Managementrole type to it.
- Associate theSharePoint Serverresource group to it.
- User
- Create a user and associate it with the role you created. For this example:
- Create a user namedSam.
- Associate the user with theSharePoint Managerrole.
Create a custom role type with permissions to access LTM virtual servers
The first step to providing your user access to an application is to create a custom
role type
and define a set of permissions to specify how that role type interacts with objects that are associated with a service. In this example, we'll be providing access to BIG-IP virtual servers (because your applications are hosted on BIG-IP virtual servers) with permissions to read, add, edit, and delete all associated objects.
At this point, you're just defining the object type you want a custom role type to interact with. You'll select the specific BIG-IP virtual server hosting your SharePoint application when you create a resource group.
- At the top of the screen, clickSystem.
- On the left, click.
- Near the top of the screen, click theAddbutton.
- Give this role type a name.Name:SharePoint ManagementA description is optional.
- From theServiceslist, selectLocal Traffic (LTM).
- In theObject Typelist, select the check box next toVirtual Servers: Local Trafficand click theAdd Selectedbutton.All of the objects associated with virtual servers appear in theSelected Objects Typeslist.When you select an object type, the screen displays related object types. As you know, interactions and relationships between objects in your network can be complex. Because of that, it's best to leave all of the objects selected. This ensures you don't unintentionally limit this role type's ability to manage the SharePoint application.
- Next to each object type, select check box beneath the permissions you want to give to this role type.You must select at least one permission for each Selected Object Type.Your screen should now look like this:
- Click theSave & Closebutton.
The role type you created displays in the
Role Type
list.Now you can create a resource group that contains the specific virtual server hosting your SharePoint application.
Create a custom resource group
Create a resource group with all of the BIG-IP objects you want to provide access to, and assign a role type to it.
- At the top of the screen, clickSystem.
- On the left, click.
- Near the top of the screen, click theAddbutton.
- In theNamefield, type a name to identify this group of resources.
- From theRole Typelist, select the role type you want to provide access to for this group of resources.
- From theSelect Servicelist, select the service(s) you want to provide access to for this group of resources.
- From theObject Typelist, select the type of object you want to add to this group of resources.
- For theSourcesetting:
- Selected Instances- Select this option to put only the source objects you selected into this resource group. If you select this option, the associated role will not have access to any new objects of the same type added in the future unless you explicitly add it to this resource group.
- Any Instances- Select this option if you want to add any objects of the same type created in the future to this resources group. If you select this option, any new object of the same type added in the future will be assigned to this resource group, and access to those new resources will automatically be given to the associated role type.
- Select the check box next to the name of each object you want to add to this group of resources, and click theAdd Selectedbutton.You might have to horizontally re-size your screen so you can see all the objects you need to see.
- Click theSave & Closebutton.
Now you can associate this role type and resource group to a role.
Create a custom role for the SharePoint Manager
After you create a resource group that contains the virtual server hosting your SharePoint application, you can create a SharePoint Manager role and associate it with your custom SharePoint Management role type and SharePoint Server resource group.
In this example, we'll be creating a role for SharePoint Manager.
- On the left, click.
- Near the top of the screen, click theAddbutton.
- Give the new role a name,SharePoint Manager.A description is optional.
- On the left, click.
- ClickCUSTOM ROLES
- From theRole Typelist, selectSharePoint Management.
- For theRole Modesetting, select an option.
- Relaxed Mode– If you select this option, users associated with this role can view and manage all objects you've given explicit permission to, and it can see (but won't be able to manage) related objects for associated services.
- Strict Mode– If you select this option, users associated with this role can view and manage only the specific objects you’ve given explicit permission to.
Refer to the screenshots that follow for an example of the differences. - From the Resource GroupsAvailablelist, select the check box next toSharePoint Serverand move it theSelectedlist.
- To view the user access permissions associated with this role, click theView Permissionsbutton towards the bottom of the screen.This is what you would see if you created the role inStrict Mode.You'd see something similar to the following if you created the role inRelaxed Mode.Your screen should now look similar to the following:
- ClickSave & Close.
You can now associate users with this custom role.