Manual Chapter : Role-Based Authorization Concepts in BIG-IQ

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.3.0, 8.2.0, 8.1.0, 8.0.0, 7.1.0
Manual Chapter

Role-Based Authorization Concepts in BIG-IQ

About role-based authorization

Role-based authorization is a powerful tool that provides you with different levels of permission for various roles in your environment. In the Centralized Management system, you can use both the provided built-in roles, and also create your own custom roles.

About built-in and custom roles

You can assign role-based user access one of two ways:
  • Built-in user roles - BIG-IQ ships with several built-in user roles that correlate to common job responsibilities. These roles are aligned with duties associated with applications and services. Use these built-in roles to quickly assign users with permissions to access the BIG-IP objects they need to do their job.
  • Custom roles - You can create a custom role to grant access to users in a way that fits your own business needs. When you create a role you can provide specific permissions to as many BIG-IP objects as needed, even across multiple services. Like built-in roles, you align them with duties associated with applications and services.

Built-in roles shipped with BIG-IQ

As a system manager, you'll need a way to limit a user's access to certain areas of F5 BIG-IQ Centralized Management and to its managed devices. The easiest way to do this is to base user access on the responsibilities, or role, that the user has in your company. To help you do that, BIG-IQ ships with a set of built-in roles (associated with a role type) with certain privileges that you can assign to specific users. Since responsibilities and duties for certain roles are specialized, users assigned to some roles have access to only specific parts of BIG-IQ. These restrictions are outlined in the role description.
Role
This role can:
Administrator
Perform all tasks for setting up and maintaining BIG-IQ and managing devices. This includes discovering devices, adding individual users, assigning roles, installing updates, activating licenses, and so forth.
Access Auditor
Only view Access configuration objects and managed Access devices. This role cannot edit, discover, or deploy devices or policies.
Access Deployer
Deploy Access configuration objects. This role cannot discover and edit devices or policies.
Access Editor
View and edit Access configuration objects, including the ability to add, update, and delete pools and pool members from the Access configuration object editor. This role cannot discover or deploy devices or policies.
Access Manager
Deploy and edit Access configuration objects, and view the Access Reporting and dashboard. This role cannot add or remove devices and device groups, and cannot discover, import, or delete services.
Access Policy Editor
Create, view, modify, and delete Access Policy, Profile and Agent objects. This role cannot discover or deploy devices or policies. This role can view Access configuration objects, but cannot edit them.
Access Viewer
Only view Access configuration objects and discovered Access devices. This role cannot edit, discover, or deploy devices or policies.
Access Troubleshooter
View Access Warning/Error Logs, OAuth Client Errors, SAML SP/IDP Errors, Network Access Errors and Reconnect Errors, Denied or Bad-IP Reputation Session, OAuth and Network Access Server Performance data.
Application Editor
View Local Traffic & Network objects, and create, view, and modify applications through Service Catalog templates.
Application Manager
Only view applications. BIG-IQ creates this role only when an application is created.
Application Template Viewer
Only view application templates and service scaling group objects.
Application Viewer
View, edit, and delete applications. BIG-IQ creates this role only when an application is created.
Device Manager
Perform all tasks for device management, including device discovery, licensing, software image management, and UCS backups.
Device Viewer
Only view aspects of device management including device discovery, licensing, software image management, and UCS backups.
DNS Deployer
View and deploy DNS configuration objects.
DNS Editor
Create, view, modify, and delete DNS configuration objects.
DNS Manager
Perform all tasks for managing DNS, including creating, viewing, modifying, and deleting DNS objects.
DNS Viewer
Only view aspects of device management associated with DNS.
Fraud Protection Deployer
View and deploy Fraud Protection Service objects.
Fraud Protection Editor
View and edit Fraud Protection Service objects.
Fraud Protection Manager
Perform all tasks for managing the Fraud Protection Service functionality.
Fraud Protection Viewer
Only view Fraud Protection Service objects.
License Manager
Perform all tasks related to BIG-IP licensing.
License Viewer
Only view objects associated to BIG-IP licensing.
Local Traffic & Network Deployer
View and deploy Local Traffic & Network configuration objects for managed Local Traffic & Network devices.
Local Traffic & Network Editor
Create, view, modify, and delete Local Traffic & Network configuration objects.
Local Traffic & Network Manager
Perform all tasks for managing Local Traffic & Network, including creating, viewing, modifying, and deleting Local Traffic & Network objects.
Local Traffic & Network Viewer
Only view Local Traffic & Network objects.
Network Security Deployer
View and deploy Network Security objects.
Network Security Editor
Create, view, modify, and delete Network Security objects.
Network Security Manager
Perform all tasks associated with Network Security, including areas involved in creating, viewing, modifying, and deleting shared and firewall-specific security objects.
Network Security Viewer
Only view Network Security firewall objects. This role cannot edit, discover, or deploy devices or policies.
Pool Member Operator
Enable, disable, or force offline pool members for all pools. To limit access to select pools, create a custom resource group and role based on the Pool Member Operator type.
Resource Group Deployer
Assign to a custom role as the resource group to allow a user to deploy changes
REST Proxy Manager
Perform all tasks associated with REST Proxy calls to managed BIG-IP devices.
REST Proxy Viewer
Only view REST Proxy calls to managed BIG-IP devices. You can also use the RoleType of this built-in Role to create custom read-only Roles to allow users to view specific REST Proxy calls.
Security Manager
Perform all tasks associated with Network Security, Web Application Security, and Fraud Protection Service, including areas involved in device discovery, creating, viewing, modifying, and deleting Web Application Security, shared and firewall-specific security objects.
Service Catalog Editor
View Local Traffic & Network objects and create, view, modify, and delete Service Catalog templates.
Service Catalog Viewer
Only view Local Traffic & Network objects and Service Catalog templates.
SSL Orchestrator Manager
Deploy and edit SSL Orchestrator configuration objects, and view the SSL Orchestrator Reporting and dashboard. This role cannot add or remove devices, and cannot discover, import, or delete SSL Orchestrator configuration objects.
Trust Discovery Import
Manage device trust establishment, service discovery, service import, removal of services and removal of trust.
Unknown Applications Manager
Manage application services created by Application Services 3 Extension (AS3) declaration API.
Unknown Applications Viewer
View application services created by Application Services 3 Extension (AS3) declaration API.
Virtual Server Operator
Enable or disable all virtual servers. To limit access to select virtual servers, create a custom resource and role based on the Virtual Server Operator role type.
Web App Security Deployer
View and deploy Web Application Security and shared security configuration objects for Web Application Security devices.
Web App Security Editor
Create, view, modify, and delete Web Application Security and shared security configuration objects.
Web App Security Manager
Create, view, modify, delete and deploy Web Application Security and shared security configuration objects.
Web App Security Viewer
Only view Web Application Security and shared security configuration objects.

Custom roles based on job responsibilities

BIG-IQ Centralized Management makes it easy for you to give users specific permissions for access only to those BIG-IP objects they need to do their job. Role-based access allows you to create a custom role with specific privileges to view or edit only those BIG-IP objects (resources) you explicitly assign to the role.
There are several built-in roles shipped with BIG-IQ, but there might be a reason you want to give a person permissions to interact only in a clearly defined way with specific resources. To do that, you need to add each of the following to BIG-IQ:
  1. Custom role type - Select one or more services and define a set of permissions (read, add, edit, delete) for interacting with the objects associated with selected services.
  2. Custom resource group - Select the specific type of resources you want to provide a user access to—for example, BIG-IP virtual servers.
  3. Custom role - Associate this custom role with the custom role type and resource group you created, to combine the permissions you specified in the custom role type with the resources you defined for the custom resource group.
  4. Custom user - Associate this user with the custom role you created to provide that person access and permissions to the resources you specified.