Manual Chapter : Role-Based User Access

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.3.0, 8.2.0, 8.1.0
Manual Chapter

Role-Based User Access

Limit a user's access to BIG-IP devices based on their role

BIG-IQ gives you the tools you need to customize user access to managed devices by letting you assign role-based access based on job responsibilities. When you associate a role with a user (or a group of users), they have access only to the areas within BIG-IQ that you explicitly grant.

Assigning more than one role to a user

The responsibilities and roles each of your users has probably depends on the number of people who have access to BIG-IQ.
For example, if you have only two people managing your devices from BIG-IQ, they both most likely need to have full access to all aspects of BIG-IQ at one time or another. For these users, you'd assign them both the Administrator role.

Assigning more granular/specialized privileges to a user

On the other hand, if you're working for a larger company that has specialized roles to manage different services, or different parts of services, you can provide more granular access.
For example, if you have two people who manage BIG-IP devices used only for network security purposes, you could assign them both the role of Network Security Manager. Or, if you have two people managing devices used for network security, but you want only one of them to write and edit policies, and the other to (only) deploy the policies, you could assign the first person the Network Security Editor role, and the other person the Network Security Deployer role. In this case, the person with the Network Security Editor role can only create, view, and edit policies, but not deploy them. The person assigned to the Network Security Deployer can view and deploy policies, but cannot create or edit them.

About built-in and custom roles

You can assign role-based user access one of two ways:
  • Built-in user roles - BIG-IQ ships with several built-in user roles that correlate to common job responsibilities. These roles are aligned with duties associated with applications and services. Use these built-in roles to quickly assign users with permissions to access the BIG-IP objects they need to do their job.
  • Custom roles - You can create a custom role to grant access to users in a way that fits your own business needs. When you create a role you can provide specific permissions to as many BIG-IP objects as needed, even across multiple services. Like built-in roles, you align them with duties associated with applications and services.

Built-in roles shipped with BIG-IQ

As a system manager, you'll need a way to limit a user's access to certain areas of F5 BIG-IQ Centralized Management and to its managed devices. The easiest way to do this is to base user access on the responsibilities, or role, that the user has in your company. To help you do that, BIG-IQ ships with a set of built-in roles (associated with a role type) with certain privileges that you can assign to specific users. Since responsibilities and duties for certain roles are specialized, users assigned to some roles have access to only specific parts of BIG-IQ. These restrictions are outlined in the role description.
Role
This role can:
Administrator
Perform all tasks for setting up and maintaining BIG-IQ and managing devices. This includes discovering devices, adding individual users, assigning roles, installing updates, activating licenses, and so forth.
Access Auditor
Only view Access configuration objects and managed Access devices. This role cannot edit, discover, or deploy devices or policies.
Access Deployer
Deploy Access configuration objects. This role cannot discover and edit devices or policies.
Access Editor
View and edit Access configuration objects, including the ability to add, update, and delete pools and pool members from the Access configuration object editor. This role cannot discover or deploy devices or policies.
Access Manager
Deploy and edit Access configuration objects, and view the Access Reporting and dashboard. This role cannot add or remove devices and device groups, and cannot discover, import, or delete services.
Access Viewer
Only view Access configuration objects and discovered Access devices. This role cannot edit, discover, or deploy devices or policies.
Application Editor
View Local Traffic & Network objects, and create, view, and modify applications through Service Catalog templates.
Application Manager
View, edit, and delete applications. BIG-IQ creates this role only when an application is created.
Application Template Viewer
Only view application templates and service scaling group objects.
Application Viewer
Only view applications. BIG-IQ creates this role only when an application is created.
Device Manager
Perform all tasks for device management, including device discovery, licensing, software image management, and UCS backups.
Device Viewer
Only view aspects of device management including device discovery, licensing, software image management, and UCS backups.
F5 Device Trust User
User has access to manage all APIs related to managed BIG-IP systems and DCDs.
DNS Deployer
View and deploy DNS configuration objects.
DNS Editor
Create, view, modify, and delete DNS configuration objects.
DNS Manager
Perform all tasks for managing DNS, including creating, viewing, modifying, and deleting DNS objects.
DNS Viewer
Only view aspects of device management associated with DNS.
Fraud Protection Deployer
View and deploy Fraud Protection Service objects.
Fraud Protection Editor
View and edit Fraud Protection Service objects.
Fraud Protection Manager
Perform all tasks for managing the Fraud Protection Service functionality.
Fraud Protection Viewer
Only view Fraud Protection Service objects.
License Manager
Perform all tasks related to BIG-IP licensing.
Local Traffic & Network Deployer
View and deploy Local Traffic & Network configuration objects for managed Local Traffic & Network devices.
Local Traffic & Network Editor
Create, view, modify, and delete Local Traffic & Network configuration objects.
Local Traffic & Network Manager
Perform all tasks for managing Local Traffic & Network, including creating, viewing, modifying, and deleting Local Traffic & Network objects.
Local Traffic & Network Viewer
Only view Local Traffic & Network objects.
Network Security Deployer
View and deploy Network Security objects.
Network Security Editor
Create, view, modify, and delete Network Security objects.
Network Security Manager
Perform all tasks associated with Network Security, including areas involved in creating, viewing, modifying, and deleting shared and firewall-specific security objects.
Network Security Viewer
Only view Network Security firewall objects. This role cannot edit, discover, or deploy devices or policies.
Pool Member Operator
Enable, disable, or force offline pool members for all pools. To limit access to select pools, create a custom resource group and role based on the Pool Member Operator type.
REST Proxy Manager
Perform all tasks associated with REST Proxy calls to managed BIG-IP devices.
REST Proxy Viewer
Only view REST Proxy calls to managed BIG-IP devices. You can also use the RoleType of this built-in Role to create custom read-only Roles to allow users to view specific REST Proxy calls.
Security Manager
Perform all tasks associated with Network Security, Web Application Security, DoS Protection, Bot Defense, and Fraud Protection Service, including areas involved in device discovery, creating, viewing, modifying, and deleting Web Application Security, shared and firewall-specific security objects.
Service Catalog Editor
View Local Traffic & Network objects and create, view, modify, and delete Service Catalog templates.
Service Catalog Viewer
Only view Local Traffic & Network objects and Service Catalog templates.
Trust Discovery Import
Manage device trust establishment, service discovery, service import, removal of services and removal of trust.
Virtual Server Operator
Enable or disable all virtual servers. To limit access to select virtual servers, create a custom resource and role based on the Virtual Server Operator role type.
Web App Security Deployer
View and deploy Web Application Security and shared security configuration objects for Web Application Security devices.
Web App Security Editor
Create, view, modify, and delete Web Application Security and shared security configuration objects.
Web App Security Manager
Create, view, modify, delete and deploy Web Application Security and shared security configuration objects.
Web App Security Viewer
Only view Web Application Security and shared security configuration objects.

Add a user and assign them a built-in role

If you want to authentication users with an LDAP, RADIUS, or TACACS+ server, you must first configure that before adding a user.
Once you understand exactly who you want to perform certain tasks, you can provide them access to particular areas of F5 BIG-IQ Centralized Management by adding them as a user and assigning the appropriate standardized role. You can assign as many roles as required to cover the user's responsibilities.
Since some roles have access only to certain areas or screens in the BIG-IQ user interface, it's important to communicate that to the user. When you assign a role to a user, be sure you outline the responsibilities and restrictions for their role. Clarifying this helps avoid any potential confusion. Also note,these roles do not have access to the global search functionality: Network Security Manager, Network Security Edit, Network Security View, and Trust Discovery Import.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    USER MANAGEMENT
    Users
    .
  3. Click the
    Add
    button.
  4. From the
    Auth Provider
    list, select the authentication method you want to use for this user.
    A user must belong to an LDAP group or have an assigned BIG-IQ role, or authentication will fail.
  5. In the
    User Name
    field, type the name for this user.
  6. In the
    Password
    and
    Confirm Password
    fields, type the password for this new user.
    You can change the password any time.
  7. To associate this user with an existing user group, select the group from the
    User Groups
    list.
    You aren't required to associate a user group at this point; you can do that later if you want. If you want to associate another user group with this user, click
    +
    .
  8. For the
    Roles
    setting, from the
    Available
    list, select each user role you want to associate with this user, and move it to the
    Selected
    list.
    Be sure to let your users know that their access to certain parts of the BIG-IQ user interface depends on which role they are assigned.
  9. At the top of the screen, click
    System
    .
This user now has the privileges associated with the role(s) you selected and BIG-IQ will authenticate this user using the authentication method you have configured.
You can now tell this user how their BIG-IQ access aligns with their responsibilities. Make sure they understand they might not see every screen you or one of their peers does. Also let them know that if they try to log in more than 5 times in 5 minutes with the wrong user name and/or password, they might get the following error:
Maximum number of login attempts exceeded.
If that happens, the user must wait 5 minutes before trying to log back in.
If your BIG-IQ is in an HA pair, you must synchronize this change by refreshing the secondary BIG-IQ.

Custom roles based on job responsibilities

BIG-IQ Centralized Management makes it easy for you to give users specific permissions for access only to those BIG-IP objects they need to do their job. Role-based access allows you to create a custom role with specific privileges to view or edit only those BIG-IP objects (resources) you explicitly assign to the role.
There are several built-in roles shipped with BIG-IQ, but there might be a reason you want to give a person permissions to interact only in a clearly defined way with specific resources. To do that, you need to add each of the following to BIG-IQ:
  1. Custom role type - Select one or more services and define a set of permissions (read, add, edit, delete) for interacting with the objects associated with selected services.
  2. Custom resource group - Select the specific type of resources you want to provide a user access to—for example, BIG-IP virtual servers.
  3. Custom role - Associate this custom role with the custom role type and resource group you created, to combine the permissions you specified in the custom role type with the resources you defined for the custom resource group.
  4. Custom user - Associate this user with the custom role you created to provide that person access and permissions to the resources you specified.

Create a custom role type with permissions to specific BIG-IP object types

Creating a custom role type is the first step to providing custom role-based access to users.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    ROLE MANAGEMENT
    Role Types
    .
  3. In the
    Name
    field, type a name to identify this new role type.
    A description is optional.
  4. From the
    Services
    list, select each service you want to associate with this role type, then scroll through the
    Object Type
    list and select the check box next to each object type you want to provide access to.
    You might have to horizontally re-size your screen so you can see all the objects you need to see.
  5. After you've finished adding objects, for each object type, select the check box beneath the permissions you want to grant for this role type.
  6. Click the
    Save & Close
    button.

Create a custom resource group

Create a resource group with all of the BIG-IP objects you want to provide access to, and assign a role type to it.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    ROLE MANAGEMENT
    Resource Groups
    .
  3. In the
    Name
    field, type a name to identify this group of resources.
  4. From the
    Role Type
    list, select the role type you want to provide access to for this group of resources.
  5. From the
    Select Service
    list, select the service(s) you want to provide access to for this group of resources.
  6. From the
    Object Type
    list, select the type of object you want to add to this group of resources.
  7. For the
    Source
    setting:
    • Selected Instances
      - Select this option to put only the source objects you selected into this resource group. If you select this option, the associated role will not have access to any new objects of the same type added in the future unless you explicitly add it to this resource group.
    • Any Instances
      - Select this option if you want to add any objects of the same type created in the future to this resources group. If you select this option, any new object of the same type added in the future will be assigned to this resource group, and access to those new resources will automatically be given to the associated role type.
  8. Select the check box next to the name of each object you want to add to this group of resources, and click the
    Add Selected
    button.
    You might have to horizontally re-size your screen so you can see all the objects you need to see.
  9. Click the
    Save & Close
    button.
Now you can associate this role type and resource group to a role.

Add new custom role

In addition to the built-in roles that ship with BIG-IQ, you can create a custom role with specific privileges to particular areas of BIG-IQ and BIG-IP devices.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    ROLE MANAGEMENT
    Roles
    .
  3. On the left, click
    CUSTOM ROLES
    Service Roles
  4. Click the
    Add
    button.
  5. In the
    Name
    field, type a name to identify this new role.
  6. From the
    Role Type
    list, select the kind of role you want to add.
  7. For the
    Role Mode
    setting, select an option.
    • Relaxed Mode
      – If you select this option, the role can view and manage all objects you've given explicit permission to, and it can see (but won't be able to manage) related objects for associated services.
    • Strict Mode
      – If you select this option, this role can view and manage only the specific objects you’ve given explicit permission to.
  8. Add the Resource Groups and Active Users and Groups as needed.
  9. To view the type of user access granted for the resource groups associated with this role, click the
    View Permissions
    button.
  10. Click the
    Save & Close
    button.

Remove a BIG-IQ user from a role

If a job or responsibilities change for an employee, you can use this procedure to disassociate that BIG-IQ user from an assigned role.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    USER MANAGEMENT
    Users
    .
  3. On the Users inventory list, click the name of the user.
    The screen refreshes to display the properties for this user.
  4. From the
    User Roles
    list, select the user role to disassociate from this user and click the
    X
    .
    The selected user role is removed from the list of privileges assigned to this user.
  5. Click the
    Save & Close
    button.
This user no longer has the privileges associated with the role you deleted.

Assign a new user access to the DNS operator role

To provide user access to the DNS objects on managed devices, you have a couple options.
  • If you want the user to have access to all DNS objects on devices managed by this BIG-IQ, you can create a custom role for them titled DNS Operator. The following steps detail how to create this custom role.
  • If you want more granular control of the access the user has, you can create a new role for them and in that role, specify precisely which objects they can access and which operations they can perform on those objects. For details about how to create this new role, refer to
    Create a custom role type with permissions to specific BIG-IP object types
    on
    support.f5.com
    .
Because this role has access only to certain areas or screens in the BIG-IQ user interface, it's important to communicate these constraints to the user. When you assign a role to a user, be sure you outline the responsibilities and restrictions for their role. Clarifying this helps avoid any potential confusion.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    USER MANAGEMENT
    Users
    .
  3. Click the
    Add
    button.
  4. From the
    Auth Provider
    list, select the authentication method you want to use for this user.
    A user must belong to an LDAP group or have an assigned BIG-IQ role, or authentication will fail.
  5. In the
    User Name
    field, type the name for this user.
  6. In the
    Password
    and
    Confirm Password
    fields, type the password for this new user.
    You can change the password any time.
  7. To associate this user with an existing user group, select the group from the
    User Groups
    list.
    You aren't required to associate a user group at this point; you can do that later if you want. If you want to associate another user group with this user, click
    +
    .
  8. For the
    Roles
    setting, from the
    Available
    list, select the
    DNS Operator
    role, and move it to the
    Selected
    list.
    With this access, users can make immediate changes (like enable/disable/force offline) to any DNS object that belongs to a device managed by this BIG-IQ.
  9. Click the
    Save & Close
    button.
This user now has the privileges associated with the DNS role you selected and BIG-IQ will authenticate this user using the authentication method you have configured.
You can now tell this user how their BIG-IQ access aligns with their responsibilities. Make sure they understand they might not see every screen you or one of their peers does. Also let them know that if they try to log in more than 5 times in 5 minutes with the wrong user name and/or password, they might get the following error:
Maximum number of login attempts exceeded.
If that happens, the user must wait 5 minutes before trying to log back in.
If your BIG-IQ is in an HA pair, you must synchronize this change by refreshing the secondary BIG-IQ.

Synchronize new users and user groups with standby BIG-IQ

You must configure two BIG-IQ Centralized Management systems in a high availability (HA) pair before you can synchronize users and user groups with a standby BIG-IQ
Users and user groups are handled differently than other data that's synchronized between BIG-IQ systems in an HA pair. For that reason, you must refresh the standby BIG-IQ system in an HA pair after you add a new user or user group. Refresh the standby BIG-IQ so new users and user groups can successfully log in to it.
  1. At the top of the screen, click
    System
    .
  2. On the left, click
    BIG-IQ HA
    .
  3. At the top of the screen, click the
    BIG-IQ HA Settings
    button.
  4. Click the
    Log Out and Refresh
    button.
  5. Click
    OK
    , then
    Log Out
    .
    BIG-IQ logs you out.
You should now be able to log in to the standby BIG-IQ with the new user and/or user group you added.