Manual Chapter :
Role-Based Authorization Concepts in BIG-IQ
Applies To:
Show Versions
BIG-IQ Centralized Management
- 8.3.0, 8.2.0, 8.1.0, 8.0.0, 7.1.0
Role-Based Authorization Concepts in BIG-IQ
About role-based authorization
Role-based authorization is a powerful tool that provides you with
different levels of permission for various roles in your environment. In the Centralized Management system, you can
use both the provided built-in roles, and also create your own custom roles.
About built-in and custom roles
You can assign role-based user access one of two ways:
- Built-in user roles - BIG-IQ ships with several built-in user roles that correlate to common job responsibilities. These roles are aligned with duties associated with applications and services. Use these built-in roles to quickly assign users with permissions to access the BIG-IP objects they need to do their job.
- Custom roles - You can create a custom role to grant access to users in a way that fits your own business needs. When you create a role you can provide specific permissions to as many BIG-IP objects as needed, even across multiple services. Like built-in roles, you align them with duties associated with applications and services.
Built-in roles shipped with BIG-IQ
As a system manager, you'll need a way to limit a user's access to certain areas of F5 BIG-IQ Centralized Management and to its managed devices. The easiest way to do this is to base user access on the responsibilities, or role, that the user has in your company. To help you do that, BIG-IQ ships with a set of built-in roles (associated with a role type) with certain privileges that you can assign to specific users. Since responsibilities and duties for certain roles are specialized, users assigned to some roles have access to only specific parts of BIG-IQ. These restrictions are outlined in the role description.
Role | This role can: |
|---|---|
Administrator | Perform all tasks for setting up and maintaining BIG-IQ and managing devices. This includes discovering devices, adding individual users, assigning roles, installing updates, activating licenses, and so forth. |
Access Auditor | Only view Access configuration objects and managed Access devices. This role cannot edit, discover, or deploy devices or policies. |
Access Deployer | Deploy Access configuration objects. This role cannot discover and edit devices or policies. |
Access Editor | View and edit Access configuration objects, including the ability to add, update, and delete pools and pool members from the Access configuration object editor. This role cannot discover or deploy devices or policies. |
Access Manager | Deploy and edit Access configuration objects, and view the Access Reporting and dashboard. This role cannot add or remove devices and device groups, and cannot discover, import, or delete services. |
Access Policy Editor | Create, view, modify, and delete Access Policy, Profile and Agent objects. This role cannot discover or deploy devices or policies. This role can view Access configuration objects, but cannot edit them. |
Access Viewer | Only view Access configuration objects and discovered Access devices. This role cannot edit, discover, or deploy devices or policies. |
Access Troubleshooter | View Access Warning/Error Logs, OAuth Client Errors, SAML SP/IDP Errors, Network Access Errors and Reconnect Errors, Denied or Bad-IP Reputation Session, OAuth and Network Access Server Performance data. |
Application Editor | View Local Traffic & Network objects, and create, view, and modify applications through Service Catalog templates. |
Application Manager | Only view applications. BIG-IQ creates this role only when an application is created. |
Application Template Viewer | Only view application templates and service scaling group objects. |
Application Viewer | View, edit, and delete applications. BIG-IQ creates this role only when an application is created. |
Device Manager | Perform all tasks for device management, including device discovery, licensing, software image management, and UCS backups. |
Device Viewer | Only view aspects of device management including device discovery, licensing, software image management, and UCS backups. |
DNS Deployer | View and deploy DNS configuration objects. |
DNS Editor | Create, view, modify, and delete DNS configuration objects. |
DNS Manager | Perform all tasks for managing DNS, including creating, viewing, modifying, and deleting DNS objects. |
DNS Viewer | Only view aspects of device management associated with DNS. |
Fraud Protection Deployer | View and deploy Fraud Protection Service objects. |
Fraud Protection Editor | View and edit Fraud Protection Service objects. |
Fraud Protection Manager | Perform all tasks for managing the Fraud Protection Service functionality. |
Fraud Protection Viewer | Only view Fraud Protection Service objects. |
License Manager | Perform all tasks related to BIG-IP licensing. |
License Viewer | Only view objects associated to BIG-IP licensing. |
Local Traffic & Network Deployer | View and deploy Local Traffic & Network configuration objects for managed Local Traffic & Network devices. |
Local Traffic & Network Editor | Create, view, modify, and delete Local Traffic & Network configuration objects. |
Local Traffic & Network Manager | Perform all tasks for managing Local Traffic & Network, including creating, viewing, modifying, and deleting Local Traffic & Network objects. |
Local Traffic & Network Viewer | Only view Local Traffic & Network objects. |
Network Security Deployer | View and deploy Network Security objects. |
Network Security Editor | Create, view, modify, and delete Network Security objects. |
Network Security Manager | Perform all tasks associated with Network Security, including areas involved in creating, viewing, modifying, and deleting shared and firewall-specific security objects. |
Network Security Viewer | Only view Network Security firewall objects. This role cannot edit, discover, or deploy devices or policies. |
Pool Member Operator | Enable, disable, or force offline pool members for all pools. To limit access to select pools, create a custom resource group and role based on the Pool Member Operator type. |
Resource Group Deployer | Assign to a custom role as the resource group to allow a user to deploy changes |
REST Proxy Manager | Perform all tasks associated with REST Proxy calls to managed BIG-IP devices. |
REST Proxy Viewer | Only view REST Proxy calls to managed BIG-IP devices. You can also use the RoleType of this built-in Role to create custom read-only Roles to allow users to view specific REST Proxy calls. |
Security Manager | Perform all tasks associated with Network Security, Web Application Security, and Fraud Protection Service, including areas involved in device discovery, creating, viewing, modifying, and deleting Web Application Security, shared and firewall-specific security objects. |
Service Catalog Editor | View Local Traffic & Network objects and create, view, modify, and delete Service Catalog templates. |
Service Catalog Viewer | Only view Local Traffic & Network objects and Service Catalog templates. |
SSL Orchestrator Manager | Deploy and edit SSL Orchestrator configuration objects, and view the SSL Orchestrator Reporting and dashboard. This role cannot add or remove devices, and cannot discover, import, or delete SSL Orchestrator configuration objects. |
Trust Discovery Import | Manage device trust establishment, service discovery, service import, removal of services and removal of trust. |
Unknown Applications Manager | Manage application services created by Application Services 3 Extension (AS3) declaration API. |
Unknown Applications Viewer | View application services created by Application Services 3 Extension (AS3) declaration API. |
Virtual Server Operator | Enable or disable all virtual servers. To limit access to select virtual servers, create a custom resource and role based on the Virtual Server Operator role type. |
Web App Security Deployer | View and deploy Web Application Security and shared security configuration objects for Web Application Security devices. |
Web App Security Editor | Create, view, modify, and delete Web Application Security and shared security configuration objects. |
Web App Security Manager | Create, view, modify, delete and deploy Web Application Security and shared security configuration objects. |
Web App Security Viewer | Only view Web Application Security and shared security configuration objects. |
Custom roles based on job responsibilities
BIG-IQ Centralized Management makes it easy for you to give users specific permissions for access only to those BIG-IP objects they need to do their job. Role-based access allows you to create a custom role with specific privileges to view or edit only those BIG-IP objects (resources) you explicitly assign to the role.
There are several built-in roles shipped with BIG-IQ, but there might be a reason you want to give a person permissions to interact only in a clearly defined way with specific resources. To do that, you need to add each of the following to BIG-IQ:
- Custom role type - Select one or more services and define a set of permissions (read, add, edit, delete) for interacting with the objects associated with selected services.
- Custom resource group - Select the specific type of resources you want to provide a user access to—for example, BIG-IP virtual servers.
- Custom role - Associate this custom role with the custom role type and resource group you created, to combine the permissions you specified in the custom role type with the resources you defined for the custom resource group.
- Custom user - Associate this user with the custom role you created to provide that person access and permissions to the resources you specified.
