Limit a user's access to BIG-IP devices based on their role
BIG-IQ gives you the tools you need to customize
user access to managed devices by letting you assign role-based access based on job
responsibilities. When you associate a role with a user (or a group of users), they have
access only to the areas within BIG-IQ that you explicitly grant.
Assigning more than one role to a user
The responsibilities and roles each of your users has probably
depends on the number of people who have access to BIG-IQ.
For example, if you have only two people managing your devices from
BIG-IQ, they both most likely need to have full access to all aspects of BIG-IQ at one
time or another. For these users, you'd assign them both the Administrator role.
Assigning more granular/specialized privileges to a
user
On the other hand, if you're working for a larger company that has
specialized roles to manage different services, or different parts of services, you can
provide more granular access.
For example, if you have two people who manage BIG-IP devices used
only for network security purposes, you could assign them both the role of Network
Security Manager. Or, if you have two people managing devices used for network security,
but you want only one of them to write and edit policies, and the other to (only) deploy
the policies, you could assign the first person the Network Security Editor role, and
the other person the Network Security Deployer role. In this case, the person with the
Network Security Editor role can only create, view, and edit policies, but not deploy
them. The person assigned to the Network Security Deployer can view and deploy policies,
but cannot create or edit them.
About built-in and custom roles
You can assign role-based user access one of two ways:
Built-in user roles - BIG-IQ ships with several built-in user roles
that correlate to common job responsibilities. These roles are aligned with duties
associated with applications and services. Use these built-in roles to quickly assign
users with permissions to access the BIG-IP objects they need to do their job.
Custom roles - You can create a custom role to grant access to
users in a way that fits your own business needs. When you create a role you can provide
specific permissions to as many BIG-IP objects as needed, even across multiple services.
Like built-in roles, you align them with duties associated with applications and
services.
Built-in roles shipped with BIG-IQ
As a system manager, you'll need a way to limit a user's access to certain areas of F5 BIG-IQ Centralized Management and to its managed devices. The easiest way to do this is to base user access on the responsibilities, or role, that the user has in your company. To help you do that, BIG-IQ ships with a set of built-in roles (associated with a role type) with certain privileges that you can assign to specific users. Since responsibilities and duties for certain roles are specialized, users assigned to some roles have access to only specific parts of BIG-IQ. These restrictions are outlined in the role description.
Role
This role can:
Administrator
Perform all tasks for setting up and maintaining BIG-IQ and managing devices. This includes discovering devices, adding individual users, assigning roles, installing updates, activating licenses, and so forth.
Access Auditor
Only view Access configuration objects and managed Access devices. This role cannot edit, discover, or deploy devices or policies.
Access Deployer
Deploy Access configuration objects. This role cannot discover and edit devices or policies.
Access Editor
View and edit Access configuration objects, including the ability to add, update, and delete pools and pool members from the Access configuration object editor. This role cannot discover or deploy devices or policies.
Access Manager
Deploy and edit Access configuration objects, and view the Access Reporting and dashboard. This role cannot add or remove devices and device groups, and cannot discover, import, or delete services.
Access Viewer
Only view Access configuration objects and discovered Access devices. This role cannot edit, discover, or deploy devices or policies.
Application Editor
View Local Traffic & Network objects, and create, view, and modify applications through Service Catalog templates.
Application Manager
View, edit, and delete applications. BIG-IQ creates this role only when an application is created.
Application Template Viewer
Only view application templates and service scaling group objects.
Application Viewer
Only view applications. BIG-IQ creates this role only when an application is created.
Device Manager
Perform all tasks for device management, including device discovery, licensing, software image management, and UCS backups.
Device Viewer
Only view aspects of device management including device discovery, licensing, software image management, and UCS backups.
F5 Device Trust User
User has access to manage all APIs related to managed BIG-IP systems and DCDs.
DNS Deployer
View and deploy DNS configuration objects.
DNS Editor
Create, view, modify, and delete DNS configuration objects.
DNS Manager
Perform all tasks for managing DNS, including creating, viewing, modifying, and deleting DNS objects.
DNS Viewer
Only view aspects of device management associated with DNS.
Fraud Protection Deployer
View and deploy Fraud Protection Service objects.
Fraud Protection Editor
View and edit Fraud Protection Service objects.
Fraud Protection Manager
Perform all tasks for managing the Fraud Protection Service functionality.
Fraud Protection Viewer
Only view Fraud Protection Service objects.
License Manager
Perform all tasks related to BIG-IP licensing.
Local Traffic & Network Deployer
View and deploy Local Traffic & Network configuration objects for managed Local Traffic & Network devices.
Local Traffic & Network Editor
Create, view, modify, and delete Local Traffic & Network configuration objects.
Local Traffic & Network Manager
Perform all tasks for managing Local Traffic & Network, including creating, viewing, modifying, and deleting Local Traffic & Network objects.
Local Traffic & Network Viewer
Only view Local Traffic & Network objects.
Network Security Deployer
View and deploy Network Security objects.
Network Security Editor
Create, view, modify, and delete Network Security objects.
Network Security Manager
Perform all tasks associated with Network Security, including areas involved in creating, viewing, modifying, and deleting shared and firewall-specific security objects.
Network Security Viewer
Only view Network Security firewall objects. This role cannot edit, discover, or deploy devices or policies.
Pool Member Operator
Enable, disable, or force offline pool members for all pools. To limit access to select pools, create a custom resource group and role based on the Pool Member Operator type.
REST Proxy Manager
Perform all tasks associated with REST Proxy calls to managed BIG-IP devices.
REST Proxy Viewer
Only view REST Proxy calls to managed BIG-IP devices. You can also use the RoleType of this built-in Role to create custom read-only Roles to allow users to view specific REST Proxy calls.
Security Manager
Perform all tasks associated with Network Security, Web Application Security, DoS Protection, Bot Defense, and Fraud Protection Service, including areas involved in device discovery, creating, viewing, modifying, and deleting Web Application Security, shared and firewall-specific security objects.
Service Catalog Editor
View Local Traffic & Network objects and create, view, modify, and delete Service Catalog templates.
Service Catalog Viewer
Only view Local Traffic & Network objects and Service Catalog templates.
Trust Discovery Import
Manage device trust establishment, service discovery, service import, removal of services and removal of trust.
Virtual Server Operator
Enable or disable all virtual servers. To limit access to select virtual servers, create a custom resource and role based on the Virtual Server Operator role type.
Web App Security Deployer
View and deploy Web Application Security and shared security configuration objects for Web Application Security devices.
Web App Security Editor
Create, view, modify, and delete Web Application Security and shared security configuration objects.
Web App Security Manager
Create, view, modify, delete and deploy Web Application Security and shared security configuration objects.
Web App Security Viewer
Only view Web Application Security and shared security configuration objects.
Add a user and assign them a built-in
role
If you want to authentication users with an LDAP, RADIUS, or TACACS+ server, you must
first configure that before adding a user.
Once you understand exactly who you
want to perform certain tasks, you can provide them access to particular areas of F5
BIG-IQ Centralized Management by adding them as a user and
assigning the appropriate standardized role. You can assign as many roles as required to
cover the user's responsibilities.
Since some roles have access only to certain areas or screens in
the BIG-IQ user interface, it's important to communicate that to the user. When you
assign a role to a user, be sure you outline the responsibilities and restrictions
for their role. Clarifying this helps avoid any potential confusion. Also note,these
roles do not have access to the global search functionality: Network Security
Manager, Network Security Edit, Network Security View, and Trust Discovery
Import.
At the top of the screen, click
System
.
On the left, click
USER MANAGEMENT
Users
.
Click the
Add
button.
From the
Auth Provider
list, select the authentication method you want to use
for this user.
A user must belong to an LDAP group or have an assigned
BIG-IQ role, or authentication will fail.
In the
User Name
field, type the name for this user.
In the
Password
and
Confirm
Password
fields, type the password for this new user.
You can change the password any time.
To associate this user with an existing user group,
select the group from the
User
Groups
list.
You aren't required to associate a user group
at this point; you can do that later if you want. If you want to associate another
user group with this user, click
+
.
For the
Roles
setting, from the
Available
list, select each user role you want to associate with this
user, and move it to the
Selected
list.
Be sure to let your users know that
their access to certain parts of the BIG-IQ user interface depends on which role
they are assigned.
At the top of the screen, click
System
.
This user now has the privileges
associated with the role(s) you selected and BIG-IQ will authenticate this user
using the authentication method you have configured.
You can now tell this user how their
BIG-IQ access aligns with their responsibilities. Make sure they understand they might
not see every screen you or one of their peers does. Also let them know that if they try
to log in more than 5 times in 5 minutes with the wrong user name and/or password, they
might get the following error:
Maximum number of login attempts exceeded.
If that happens, the user must wait 5 minutes before trying to log back in.
If your BIG-IQ is in an HA pair, you
must synchronize this change by refreshing the secondary
BIG-IQ.
Custom roles based on job responsibilities
BIG-IQ Centralized Management makes it easy for you to give users specific permissions for access only to those BIG-IP objects they need to do their job. Role-based access allows you to create a custom role with specific privileges to view or edit only those BIG-IP objects (resources) you explicitly assign to the role.
There are several built-in roles shipped with BIG-IQ, but there might be a reason you want to give a person permissions to interact only in a clearly defined way with specific resources. To do that, you need to add each of the following to BIG-IQ:
Custom role type - Select one or more services and
define a set of permissions (read, add, edit, delete) for interacting with the
objects associated with selected services.
Custom resource group - Select the specific type of resources you want to provide a user access to—for example, BIG-IP virtual servers.
Custom role - Associate this custom role with the custom role type and resource group you created, to combine the permissions you specified in the custom role type with the resources you defined for the custom resource group.
Custom user - Associate this user with the custom role you created to provide that person access and permissions to the resources you specified.
Create a custom role type with permissions to specific BIG-IP
object types
Creating a custom role type is the first step
to providing custom role-based access to users.
At the top of the screen, click
System
.
On the left, click
ROLE MANAGEMENT
Role Types
.
In the
Name
field, type a name to identify
this new role type.
A description is optional.
From the
Services
list, select each service you want to associate with this
role type, then scroll through the
Object Type
list and select the check box next to each object type
you want to provide access to.
You might have to horizontally re-size your screen so you
can see all the objects you need to see.
After you've finished adding objects, for each object
type, select the check box beneath the permissions you want to grant for this role
type.
Click the
Save & Close
button.
Create a custom resource group
Create a resource group with all of the
BIG-IP objects you want to provide access to, and assign a role type to it.
At the top of the screen, click
System
.
On the left, click
ROLE MANAGEMENT
Resource Groups
.
In the
Name
field, type a name to identify this group of resources.
From the
Role Type
list, select the role type you want to provide access to
for this group of resources.
From the
Select Service
list, select the service(s) you want to provide access
to for this group of resources.
From the
Object Type
list, select the type of object you want to add to this
group of resources.
For the
Source
setting:
Selected Instances
-
Select this option to put only the source objects you selected into this resource
group. If you select this option, the associated role will not have access to any
new objects of the same type added in the future unless you explicitly add it to
this resource group.
Any Instances
- Select
this option if you want to add any objects of the same type created in the future
to this resources group. If you select this option, any new object of the same
type added in the future will be assigned to this resource group, and access to
those new resources will automatically be given to the associated role
type.
Select the check box next to the name of each object
you want to add to this group of resources, and click the
Add Selected
button.
You might have to horizontally re-size your screen so you can see all the objects
you need to see.
Click the
Save & Close
button.
Now you can associate this role type and
resource group to a role.
Add new custom role
In addition to the built-in roles that ship with BIG-IQ, you can create a custom role
with specific privileges to particular areas of BIG-IQ and BIG-IP devices.
At the top of the screen, click
System
.
On the left, click
ROLE MANAGEMENT
Roles
.
On the left, click
CUSTOM ROLES
Service Roles
Click the
Add
button.
In the
Name
field, type a name to identify this new role.
From the
Role Type
list, select the kind of role you want to add.
For the
Role Mode
setting, select an option.
Relaxed
Mode
– If you select this option, the role can view and
manage all objects you've given explicit permission to, and it can see (but
won't be able to manage) related objects for associated services.
Strict
Mode
– If you select this option, this role can view and
manage only the specific objects you’ve given explicit permission to.
Add the Resource Groups and Active Users and Groups as needed.
To view the type of user access granted for the resource groups associated with
this role, click the
View Permissions
button.
Click the
Save & Close
button.
Remove a BIG-IQ user from a role
If a job or responsibilities change for an employee, you can use this procedure to disassociate that BIG-IQ user from an assigned role.
At the top of the screen, click
System
.
On the left, click
USER MANAGEMENT
Users
.
On the Users inventory list, click the name of the
user.
The screen refreshes to display
the properties for this user.
From the
User Roles
list, select the user role to disassociate from this user
and click the
X
.
The selected user role is removed from the
list of privileges assigned to this user.
Click the
Save & Close
button.
This user no longer has the privileges associated with the role you deleted.
Assign a new user access to the DNS operator role
To provide user access to the DNS objects on managed devices, you have a couple options.
If you want the user to have access to all DNS objects on
devices managed by this BIG-IQ, you can create a custom role for them titled DNS
Operator. The following steps detail how to create this custom role.
If you want more granular control of the access the user has,
you can create a new role for them and in that role, specify precisely which objects
they can access and which operations they can perform on those objects. For details
about how to create this new role, refer to
Because this role has access only to certain areas
or screens in the BIG-IQ user interface, it's important to communicate these constraints
to the user. When you assign a role to a user, be sure you outline the responsibilities
and restrictions for their role. Clarifying this helps avoid any potential confusion.
At the top of the screen, click
System
.
On the left, click
USER MANAGEMENT
Users
.
Click the
Add
button.
From the
Auth Provider
list, select the authentication method you want to use
for this user.
A user must belong to an LDAP group or have an assigned
BIG-IQ role, or authentication will fail.
In the
User Name
field, type the name for this user.
In the
Password
and
Confirm
Password
fields, type the password for this new user.
You can change the password any time.
To associate this user with an existing user group,
select the group from the
User
Groups
list.
You aren't required to associate a user group
at this point; you can do that later if you want. If you want to associate another
user group with this user, click
+
.
For the
Roles
setting, from the
Available
list, select the
DNS Operator
role, and move it to
the
Selected
list.
With this access, users can make
immediate changes (like enable/disable/force offline) to any DNS object that belongs
to a device managed by this BIG-IQ.
Click the
Save & Close
button.
This user now has the privileges associated with
the DNS role you selected and BIG-IQ will authenticate this user using the authentication
method you have configured.
You can now tell this user how their BIG-IQ access aligns with their responsibilities.
Make sure they understand they might not see every screen you or one of their peers does.
Also let them know that if they try to log in more than 5 times in 5 minutes with the wrong
user name and/or password, they might get the following error:
Maximum number of login attempts exceeded.
If
that happens, the user must wait 5 minutes before trying to log back in.
If your BIG-IQ is in an HA pair, you must synchronize this change
by refreshing the secondary BIG-IQ.
Synchronize new users and user groups with standby BIG-IQ
You must configure two BIG-IQ Centralized Management systems in a high availability (HA) pair before you can synchronize users and user groups with a standby BIG-IQ
Users and user groups are handled differently than other data that's synchronized between BIG-IQ systems in an HA pair. For that reason, you must refresh the standby BIG-IQ system in an HA pair after you add a new user or user group. Refresh the standby BIG-IQ so new users and user groups can successfully log in to it.
At the top of the screen, click
System
.
On the left, click
BIG-IQ HA
.
At the top of the screen, click the
BIG-IQ HA Settings
button.
Click the
Log Out and Refresh
button.
Click
OK
, then
Log Out
.
BIG-IQ logs you
out.
You should now be able to log in to the standby BIG-IQ with the new user and/or user group you added.
