Manual Chapter :
Configuring Role Based Access for L7 Security Objects
Applies To:
Show VersionsBIG-IQ Centralized Management
- 8.3.0, 8.2.0, 8.1.0, 8.0.0
Configuring Role Based Access for L7 Security Objects
Limiting access to application security objects
If your system is managed by several different users, you can create access privileges that allow these users to only view objects, profiles, logs and policies under their management. By customizing security role settings, users can sign into the BIG-IQ system and have a filtered view of objects under their management. In addition you can customize settings to allow or block the user's ability to edit object security configuration within BIG-IQ.
When configuring user roles, establish which objects (virtual servers) and/or configurations (security policies and profiles) are under the user's management. Once the user logs in, they will only have a filtered view of the objects, configuration settings, and logged events relevant to their role's viewing and editing permissions.
For general information about user access privileges within BIG-IQ, see
Managing Authentication, Roles, and Users from BIG-IQ.
Create an L7 Security resource group
To customize user access to L7 objects, you
must specify the objects and security configuration privileges assigned to the user.
- At the top of the screen, clickSystem.
- On the left, click.
- Click theAddbutton.
- In theNamefield, type a name to identify this group of resources.
- (Optional) From theRole Type (Optional)list, select one of the following built-in system roles:
- Security Manager - provides the user with viewing and editing access to objects found in the Shared Security Module. This includes DoS Protection and Bot Defense.
- Web App Security Viewer - provides the user with viewing access to Web Application Security objects and policies.
- Web App Security Manager - provides the user with viewing and editing access to Web Application Security objects and policies.
- From theSelect Servicelist, select one of the following services:
- Shared Security - this option will allow you to select objects associated with the Shared Security Module.
- Web Application Security (ASM) - this option will allow you to select objects associated with Web Application Security.
- From theObject Typelist, select the type of object you want to add to this group of resources.
- For theSourcesetting:
- Selected Instances- Select this option to put only the source objects you selected into this resource group. If you select this option, the associated role will not have access to any new objects of the same type added in the future unless you explicitly add it to this resource group.
- Any Instances- Select this option if you want to add any objects of the same type created in the future to this resources group. If you select this option, any new object of the same type added in the future will be assigned to this resource group, and access to those new resources will automatically be given to the associated role type.
- Select the check box next to the name of each object you want to add to this group of resources, and click theAdd Selectedbutton.The panel to the right of the select object list displays the items related to your selection. You can de-select these items if you do not wish to allow users access to these associated resources.
- (Optional) If you would like to add additional resources to this group, repeat steps 5-9, as necessary.Adding additional resources is necessary if the user needs access to multiple services and object types.
- Click theSave & Closebutton.
The configured resource group is available and
can be associate to a custom user
role.
Create a custom user role for the L7 security
user.
Create a custom L7 security user role
You must create a L7 security resource group to
specify which resources are associate with the custom L7 security user role.
Create a user role with specific privileges to
L7 security objects and configuration settings.
- At the top of the screen, clickSystem.
- On the left, click.
- Click theAddbutton.
- In theNamefield, type a name to identify this new role.
- From theRole Typelist, select one of the following built-in system roles:
- Security Manager - provides the user with viewing and editing access to objects found in the Shared Security Module. This includes DoS Protection and Bot Defense.
- Web App Security Viewer - provides the user with viewing access to Web Application Security objects and policies.
- Web App Security Manager - provides the user with viewing and editing access to Web Application Security objects and policies.
- For theRole Modesetting, select an option:
- Relaxed Mode– Select this option if you want this role to view and manage all objects you've given explicit permission to, as well as see related objects for associated services.
- Strict Mode– Select this option if you want this role view and manage only the specific objects you’ve given explicit permission to.
- Add the Resource Group(s) that specify the objects you would like to associate with the user's L7 security access privileges.You do this by select items in theAvailablelist and moving them to theSelectedlist.
- To view the type of user access granted for the resource groups associated with this role, click theView Permissionsbutton.
- Click theSave & Closebutton.
The custom role is now is configured with access
privileges to a specified group of L7 security objects.
Configure new user credentials
Create a custom L7 Security user role(s) that you
can associate with user access credentials.
Create user credentials that allow a system
user to access the system with visibility and user privileges associate with a customized
user role.
- At the top of the screen, clickSystem.
- On the left, click.
- Click theAddbutton.
- If you have configured a non-local server to authenticate BIG-IQ users, select that appropriate option fromAuth Provider.For more information about configuring server types, seeManaging Authentication, Roles, and Users from BIG-IQ onsupport.f5.com.
- In theUser Namefield, type the name for this user.
- In theFull Namefield, type a name to identify the individual with this type of user access.The full name can contain a combination of letters, symbols, numbers and spaces.
- In thePasswordandConfirm Passwordfields, type the password for this new user.You can change the password any time.
- For theRolessetting, from theAvailablelist, select each user role you want to associate with this user, and move it to theSelectedlist.Be sure to let your users know that their access to certain parts of the BIG-IQ user interface depends on which role they are assigned.
The new system user is now created. When the user
signs into BIG-IQ with the provided credentials they will only view the objects,
dashboards, and filters relevant to their associated resources.