Manual Chapter : Configuring Role Based Access for L7 Security Objects

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.0.0
Manual Chapter

Configuring Role Based Access for L7 Security Objects

Limiting access to application security objects

If your system is managed by several different users, you can create access privileges that allow these users to only view objects, profiles, logs and policies under their management. By customizing security role settings, users can sign into the BIG-IQ system and have a filtered view of objects under their management. In addition you can customize settings to allow or block the user's ability to edit object security configuration within BIG-IQ.
When configuring user roles, establish which objects (virtual servers) and/or configurations (security policies and profiles) are under the user's management. Once the user logs in, they will only have a filtered view of the objects, configuration settings, and logged events relevant to their role's viewing and editing permissions.
For general information about user access privileges within BIG-IQ, see
Managing Authentication, Roles, and Users from BIG-IQ.

Create a L7 Security resource group

To customize user access to L7 objects, you must specify the objects and security configuration privileges assigned to the user.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    ROLE MANAGEMENT
    Resource Groups
    .
  3. Click the
    Add
    button.
  4. In the
    Name
    field, type a name to identify this group of resources.
  5. (Optional) From the
    Role Type (Optional)
    list, select one of the following built-in system roles:
    • Security Manager - provides the user with viewing and editing access to objects found in the Shared Security Module. This includes DoS Protection and Bot Defense.
    • Web App Security Viewer - provides the user with viewing access to Web Application Security objects and policies.
    • Web App Security Manager - provides the user with viewing and editing access to Web Application Security objects and policies.
  6. From the
    Select Service
    list, select one of the following services:
    • Shared Security - this option will allow you to select objects associated with the Shared Security Module.
    • Web Application Security (ASM) - this option will allow you to select objects associated with Web Application Security.
  7. From the
    Object Type
    list, select the type of object you want to add to this group of resources.
  8. For the
    Source
    setting:
    • Selected Instances
      - Select this option to put only the source objects you selected into this resource group. If you select this option, the associated role will not have access to any new objects of the same type added in the future unless you explicitly add it to this resource group.
    • Any Instances
      - Select this option if you want to add any objects of the same type created in the future to this resources group. If you select this option, any new object of the same type added in the future will be assigned to this resource group, and access to those new resources will automatically be given to the associated role type.
  9. Select the check box next to the name of each object you want to add to this group of resources, and click the
    Add Selected
    button.
    The panel to the right of the select object list displays the items related to your selection. You can de-select these items if you do not wish to allow users access to these associated resources.
  10. (Optional) If you would like to add additional resources to this group, repeat steps 5-9, as necessary.
    Adding additional resources is necessary if the user needs access to multiple services and object types.
  11. Click the
    Save & Close
    button.
The configured resource group is available and can be associate to a custom user role.
Create a custom user role for the L7 security user.

Create a custom L7 security user role

You must create a L7 security resource group to specify which resources are associate with the custom L7 security user role.
Create a user role with specific privileges to L7 security objects and configuration settings.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    ROLE MANAGEMENT
    Roles
    CUSTOM ROLES
    Service Roles
    .
  3. Click the
    Add
    button.
  4. In the
    Name
    field, type a name to identify this new role.
  5. From the
    Role Type
    list, select one of the following built-in system roles:
    • Security Manager - provides the user with viewing and editing access to objects found in the Shared Security Module. This includes DoS Protection and Bot Defense.
    • Web App Security Viewer - provides the user with viewing access to Web Application Security objects and policies.
    • Web App Security Manager - provides the user with viewing and editing access to Web Application Security objects and policies.
  6. For the
    Role Mode
    setting, select an option:
    • Relaxed Mode
      – Select this option if you want this role to view and manage all objects you've given explicit permission to, as well as see related objects for associated services.
    • Strict Mode
      – Select this option if you want this role view and manage only the specific objects you’ve given explicit permission to.
  7. Add the Resource Group(s) that specify the objects you would like to associate with the user's L7 security access privileges.
    You do this by select items in the
    Available
    list and moving them to the
    Selected
    list.
  8. To view the type of user access granted for the resource groups associated with this role, click the
    View Permissions
    button.
  9. Click the
    Save & Close
    button.
The custom role is now is configured with access privileges to a specified group of L7 security objects.

Configure new user credentials

Create a custom L7 Security user role(s) that you can associate with user access credentials.
Create user credentials that allow a system user to access the system with visibility and user privileges associate with a customized user role.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    USER MANAGEMENT
    Users
    .
  3. Click the
    Add
    button.
  4. If you have configured a non-local server to authenticate BIG-IQ users, select that appropriate option from
    Auth Provider
    .
    For more information about configuring server types, see
    Managing Authentication, Roles, and Users from BIG-IQ on
    support.f5.com
    .
  5. In the
    User Name
    field, type the name for this user.
  6. In the
    Full Name
    field, type a name to identify the individual with this type of user access.
    The full name can contain a combination of letters, symbols, numbers and spaces.
  7. In the
    Password
    and
    Confirm Password
    fields, type the password for this new user.
    You can change the password any time.
  8. For the
    Roles
    setting, from the
    Available
    list, select each user role you want to associate with this user, and move it to the
    Selected
    list.
    Be sure to let your users know that their access to certain parts of the BIG-IQ user interface depends on which role they are assigned.
The new system user is now created. When the user signs into BIG-IQ with the provided credentials they will only view the objects, dashboards, and filters relevant to their associated resources.