F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IQ Web Application Security
  3. Common Elements: User Management
Manual Chapter : Common Elements: User Management

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.1.0
Manual Chapter

Common Elements: User Management

You must first license the BIG-IQ system and specify DNS settings before you can specify authentication settings.
When logged in as a user with a custom role, you cannot create an application that uses virtual servers that have been deployed to your managed devices. To create these legacy applications, you need to log in as admin.
One situation in which you need to assign the Application Manager role is when you delegate permissions to deploy applications to a tenant that already has applications deployed to it. If the template assigned to this Application Creator specifies a tenant that has an application already deployed to it, then before that user can deploy additional applications to the tenant, they must have the Application Manager role for one of those deployed applications.
Because some roles have access only to certain areas or screens in the BIG-IQ user interface, it's important to communicate these constraints to the user. When you assign a role to a user, be sure you outline the responsibilities and restrictions for their role. Clarifying this helps avoid any potential confusion. Also note, these roles do not have access to the global search functionality: Network Security Manager, Network Security Edit, Network Security View, and Trust Discovery Import.
  1. If you do not want to display the local host provider on the initial log in screen, select the
    Do not display Local Host provider option on the login screen if a 3rd-party provider is configured
     check box.
  2. On the left, click
    ROLE MANAGEMENT
    Role Types
    .
  3. On the left, click
    ROLE MANAGEMENT
    Resource Groups
    .
  4. On the left, click
    ROLE MANAGEMENT
    Roles
    .
  5. On the left, click
    ROLE MANAGEMENT
    Roles
    BUILT-IN ROLES
    Application Roles
    .
  6. On the left, click
    ROLE MANAGEMENT
    Roles
    BUILT-IN ROLES
    .
  7. On the left, click
    ROLE MANAGEMENT
    Roles
    CUSTOM ROLES
    Application Roles
    .
  8. On the left, click
    ROLE MANAGEMENT
    Roles
    CUSTOM ROLES
    Service Roles
    .
  9. In the
    Name
     field, type a name to identify this new role type.
    A description is optional.
  10. From the
    Services
     list, select each service you want to associate with this role type, then scroll through the
    Object Type
     list and select the check box next to each object type you want to provide access to.
    You might have to horizontally re-size your screen so you can see all the objects you need to see.
  11. After you've finished adding objects, for each object type, select the check box beneath the permissions you want to grant for this role type.
  12. On the left, click
    Resource Groups
    , and then click the
    Add
     button.
  13. Type a name and an optional description for this resource group.
  14. From the
    Select Service
     list, select the service you want to associate to this resource group.
  15. Select the check box next to each object type you want to add, then click the
    Add Selected
     button.
  16. On the left, under
    CUSTOM ROLES
    , click
    Application Roles
    .
  17. In the
    Name
     field, type a name to identify this new role.
  18. From the
    Role Type
     list, select the kind of role you want to add.
  19. For the
    Role Mode
     setting, select an option:
    • Relaxed Mode
       – Select this option if you want this role to view and manage all objects you've given explicit permission to, as well as see related objects for associated services.
    • Strict Mode
       – Select this option if you want this role view and manage only the specific objects you’ve given explicit permission to.
  20. From the
    Resource Group
     list, select the resource groups you want to associate with this role.
  21. From the
    Active Users and Groups
     list, select the user or group you want to associate with this new role.
  22. Click the
    +
     sign if you want this role to have access to another user or group, and select the device group from the list.
  23. In the
    Name
     field, type a name to identify this group of resources.
  24. From the
    Role Type
     list, select the role type you want to provide access to for this group of resources.
  25. From the
    Select Service
     list, select the service(s) you want to provide access to for this group of resources.
  26. From the
    Object Type
     list, select the type of object you want to add to this group of resources.
  27. For the
    Source
     setting:
    • Selected Instances
       - Select this option to put only the source objects you selected into this resource group. If you select this option, the associated role will not have access to any new objects of the same type added in the future unless you explicitly add it to this resource group.
    • Any Instances
       - Select this option if you want to add any objects of the same type created in the future to this resources group. If you select this option, any new object of the same type added in the future will be assigned to this resource group, and access to those new resources will automatically be given to the associated role type.
  28. Select the check box next to the name of each object you want to add to this group of resources, and click the
    Add Selected
     button.
    You might have to horizontally re-size your screen so you can see all the objects you need to see.
  29. On the left, click
    USER MANAGEMENT
    Users
    .
  30. Click the
    Add
     button.
  31. From the
    Auth Provider
     list, select the authentication method you want to use for this user.
    A user must belong to an LDAP group or have an assigned BIG-IQ role, or authentication will fail.
  32. From the
    Auth Provider
     list, select
    local (Local)
     to have BIG-IQ authenticate this user.
  33. In the
    User Name
     field, type the name for this user.
  34. In the
    Full Name
     field, type a name to identify the user from BIG-IQ.
    The full name can contain a combination of letters, symbols, numbers and spaces.
  35. In the
    User Name
     field, type the name of the Active Directory user.
  36. In the
    Full Name
     field, type the name to identify the user from BIG-IQ.
    The full name can contain a combination of symbols, letters, numbers and spaces.
  37. In the
    Password
     and
    Confirm Password
     fields, type the password for this new user.
    You can change the password any time.
  38. To associate this user with an existing user group, select the group from the
    User Groups
     list.
    You aren't required to associate a user group at this point; you can do that later if you want. If you want to associate another user group with this user, click
    +
    .
  39. For the
    Roles
     setting, from the
    Available
     list, select each user role you want to associate with this user, and move it to the
    Selected
     list.
    Be sure to let your users know that their access to certain parts of the BIG-IQ user interface depends on which role they are assigned.
  40. From the
    User Roles
     list, select the user role to disassociate from this user and click the
    X
    .
    The selected user role is removed from the list of privileges assigned to this user.
  41. For the
    Roles
     setting, from the
    Available
     list, select the roles to which you want to grant access, and move them to the
    Selected
     list.
    You can find the custom roles that BIG-IQ created for the new application by looking for the application, tenant name, and application service names in the list of roles.
    • The application role names uses the syntax: <application-name> Manager/Viewer.
    • The application service role names uses the syntax: <tennant-name_application-service-name> Manager/Viewer.
    For example, if you created an application named
    MyAwesomeApp
     and defined an application service for it named
    MyAwesomeService
     that uses a tenant named
    MyTennant
    , BIG-IQ would create four new custom roles.
    Role Name
    Access Permissions
    MyAwesomeApp Manager
    Read-write permissions for the application and "all" of it's application services.
    MyAwesomeApp Viewer
    Read-only permissions for the application and "all" of it's application services.
    MyTennant_MyAwesomeService Manager
    Read-write permissions for the application and "all" of it's application services.
    MyTennant_MyAwesomeApp Viewer
    Read-only permissions for the application and "all" of it's application services.
    Be sure to let your users know that their access to certain parts of the BIG-IQ user interface depends on which role they are assigned.
  42. At the left, click
    USER MANAGEMENT
    User Groups
    .
    The User Groups screen opens.
  43. Click the
    Add
     button.
  44. In the
    Name
     field, type a name for this new user group.
  45. From the
    Auth Provider
     list, select the authentication method you want to use for this user group.
  46. From the
    Auth Provider
     list, select
    Local
    .
  47. From the
    Auth Provider
     list, select your
    LDAP
     server.
  48. There are two ways to specify the remote group to map to:
    • If you specified a bind user and a group search filter for authentication, then type a term to filter into the
      Remote Group Filter
       field (for example,
      *Engineers*)
      . Alternatively, you can leave it blank, or use the wildcard * to return all groups. Then click the
      Search
       button to view the list.
      The default Group Search Filter query,
      (&(objectCategory=group)(cn={searchterm}*))
      , works well for most Active Directory controllers that use a standard schema. This query returns all the groups under the provided Root DN that match the search term entered as the Remote Group Filter expression on the group search page. You can modify this query as needed to match your directory schema.
    • If you have not configured these options, in the
      Group Distinguished
       field, type the exact name of the group.
  49. From the
    Available Roles
     list, select the user roles that have the privileges you want to grant to this user group and move them to the
    Selected
     list.
  50. To filter on a specific group, type the group name in the
    Remote Group Filter
     field and click the
    Search
     button.
  51. To associate this user group with an existing remote group, select it from the
    Remote Group
     list.
  52. In the
    Group Distinguished Name
     field, type the group's distinguished name.
  53. From the
    Auth Provider
     list, select
    RADIUS
    .
  54. For the
    Connect Properties
     setting, type the key and value to the RADIUS server into the fields.
  55. From the
    Users
     list, select the user you want to associate with this user group.
    You aren't required to add users at this point; you can do that later. If you want to add another user, click
    +
    .
  56. From the
    User Roles
     list, select the user role you want to associate with this user.
    You aren't required to associate a user role at this point; you can do that later. If you want to add another user role, click
    +
    .
  57. On the Users inventory list, click the name of the user.
    The screen refreshes to display the properties for this user.
  58. In the
    Old Password
     field, type the password.
  59. In the
    Password
     and
    Confirm Password
     fields, type a new password.
These users now have the privileges associated with the role(s) you selected.
Be sure to let them know how their access aligns with their responsibilities, and that they might not see every screen you or one of their peers does.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information