Manual Chapter :
Role-Based User Access
Applies To:
Show VersionsBIG-IQ Centralized Management
- 8.3.0, 8.2.0, 8.1.0
Role-Based User Access
Limit a user's access to BIG-IP devices based on their role
BIG-IQ gives you the tools you need to customize
user access to managed devices by letting you assign role-based access based on job
responsibilities. When you associate a role with a user (or a group of users), they have
access only to the areas within BIG-IQ that you explicitly grant.
Assigning more than one role to a user
The responsibilities and roles each of your users has probably
depends on the number of people who have access to BIG-IQ.
For example, if you have only two people managing your devices from
BIG-IQ, they both most likely need to have full access to all aspects of BIG-IQ at one
time or another. For these users, you'd assign them both the Administrator role.
Assigning more granular/specialized privileges to a
user
On the other hand, if you're working for a larger company that has
specialized roles to manage different services, or different parts of services, you can
provide more granular access.
For example, if you have two people who manage BIG-IP devices used
only for network security purposes, you could assign them both the role of Network
Security Manager. Or, if you have two people managing devices used for network security,
but you want only one of them to write and edit policies, and the other to (only) deploy
the policies, you could assign the first person the Network Security Editor role, and
the other person the Network Security Deployer role. In this case, the person with the
Network Security Editor role can only create, view, and edit policies, but not deploy
them. The person assigned to the Network Security Deployer can view and deploy policies,
but cannot create or edit them.
About built-in and custom roles
You can assign role-based user access one of two ways:
- Built-in user roles - BIG-IQ ships with several built-in user roles that correlate to common job responsibilities. These roles are aligned with duties associated with applications and services. Use these built-in roles to quickly assign users with permissions to access the BIG-IP objects they need to do their job.
- Custom roles - You can create a custom role to grant access to users in a way that fits your own business needs. When you create a role you can provide specific permissions to as many BIG-IP objects as needed, even across multiple services. Like built-in roles, you align them with duties associated with applications and services.
Built-in roles shipped with BIG-IQ
As a system manager, you'll need a way to limit a user's access to certain areas of F5 BIG-IQ Centralized Management and to its managed devices. The easiest way to do this is to base user access on the responsibilities, or role, that the user has in your company. To help you do that, BIG-IQ ships with a set of built-in roles (associated with a role type) with certain privileges that you can assign to specific users. Since responsibilities and duties for certain roles are specialized, users assigned to some roles have access to only specific parts of BIG-IQ. These restrictions are outlined in the role description.
Role | This role can: |
---|---|
Administrator | Perform all tasks for setting up and maintaining BIG-IQ and managing devices. This includes discovering devices, adding individual users, assigning roles, installing updates, activating licenses, and so forth. |
Access Auditor | Only view Access configuration objects and managed Access devices. This role cannot edit, discover, or deploy devices or policies. |
Access Deployer | Deploy Access configuration objects. This role cannot discover and edit devices or policies. |
Access Editor | View and edit Access configuration objects, including the ability to add, update, and delete pools and pool members from the Access configuration object editor. This role cannot discover or deploy devices or policies. |
Access Manager | Deploy and edit Access configuration objects, and view the Access Reporting and dashboard. This role cannot add or remove devices and device groups, and cannot discover, import, or delete services. |
Access Viewer | Only view Access configuration objects and discovered Access devices. This role cannot edit, discover, or deploy devices or policies. |
Application Editor | View Local Traffic & Network objects, and create, view, and modify applications through Service Catalog templates. |
Application Manager | View, edit, and delete applications. BIG-IQ creates this role only when an application is created. |
Application Template Viewer | Only view application templates and service scaling group objects. |
Application Viewer | Only view applications. BIG-IQ creates this role only when an application is created. |
Device Manager | Perform all tasks for device management, including device discovery, licensing, software image management, and UCS backups. |
Device Viewer | Only view aspects of device management including device discovery, licensing, software image management, and UCS backups. |
F5 Device Trust User | User has access to manage all APIs related to managed BIG-IP systems and DCDs. |
DNS Deployer | View and deploy DNS configuration objects. |
DNS Editor | Create, view, modify, and delete DNS configuration objects. |
DNS Manager | Perform all tasks for managing DNS, including creating, viewing, modifying, and deleting DNS objects. |
DNS Viewer | Only view aspects of device management associated with DNS. |
Fraud Protection Deployer | View and deploy Fraud Protection Service objects. |
Fraud Protection Editor | View and edit Fraud Protection Service objects. |
Fraud Protection Manager | Perform all tasks for managing the Fraud Protection Service functionality. |
Fraud Protection Viewer | Only view Fraud Protection Service objects. |
License Manager | Perform all tasks related to BIG-IP licensing. |
Local Traffic & Network Deployer | View and deploy Local Traffic & Network configuration objects for managed Local Traffic & Network devices. |
Local Traffic & Network Editor | Create, view, modify, and delete Local Traffic & Network configuration objects. |
Local Traffic & Network Manager | Perform all tasks for managing Local Traffic & Network, including creating, viewing, modifying, and deleting Local Traffic & Network objects. |
Local Traffic & Network Viewer | Only view Local Traffic & Network objects. |
Network Security Deployer | View and deploy Network Security objects. |
Network Security Editor | Create, view, modify, and delete Network Security objects. |
Network Security Manager | Perform all tasks associated with Network Security, including areas involved in creating, viewing, modifying, and deleting shared and firewall-specific security objects. |
Network Security Viewer | Only view Network Security firewall objects. This role cannot edit, discover, or deploy devices or policies. |
Pool Member Operator | Enable, disable, or force offline pool members for all pools. To limit access to select pools, create a custom resource group and role based on the Pool Member Operator type. |
REST Proxy Manager | Perform all tasks associated with REST Proxy calls to managed BIG-IP devices. |
REST Proxy Viewer | Only view REST Proxy calls to managed BIG-IP devices. You can also use the RoleType of this built-in Role to create custom read-only Roles to allow users to view specific REST Proxy calls. |
Security Manager | Perform all tasks associated with Network Security, Web Application Security, DoS Protection, Bot Defense, and Fraud Protection Service, including areas involved in device discovery, creating, viewing, modifying, and deleting Web Application Security, shared and firewall-specific security objects. |
Service Catalog Editor | View Local Traffic & Network objects and create, view, modify, and delete Service Catalog templates. |
Service Catalog Viewer | Only view Local Traffic & Network objects and Service Catalog templates. |
Trust Discovery Import | Manage device trust establishment, service discovery, service import, removal of services and removal of trust. |
Virtual Server Operator | Enable or disable all virtual servers. To limit access to select virtual servers, create a custom resource and role based on the Virtual Server Operator role type. |
Web App Security Deployer | View and deploy Web Application Security and shared security configuration objects for Web Application Security devices. |
Web App Security Editor | Create, view, modify, and delete Web Application Security and shared security configuration objects. |
Web App Security Manager | Create, view, modify, delete and deploy Web Application Security and shared security configuration objects. |
Web App Security Viewer | Only view Web Application Security and shared security configuration objects. |
Add a user and assign them a built-in
role
If you want to authentication users with an LDAP, RADIUS, or TACACS+ server, you must
first configure that before adding a user.
Once you understand exactly who you
want to perform certain tasks, you can provide them access to particular areas of F5
BIG-IQ Centralized Management by adding them as a user and
assigning the appropriate standardized role. You can assign as many roles as required to
cover the user's responsibilities.
Since some roles have access only to certain areas or screens in
the BIG-IQ user interface, it's important to communicate that to the user. When you
assign a role to a user, be sure you outline the responsibilities and restrictions
for their role. Clarifying this helps avoid any potential confusion. Also note,these
roles do not have access to the global search functionality: Network Security
Manager, Network Security Edit, Network Security View, and Trust Discovery
Import.
- At the top of the screen, clickSystem.
- On the left, click.
- Click theAddbutton.
- From theAuth Providerlist, select the authentication method you want to use for this user.A user must belong to an LDAP group or have an assigned BIG-IQ role, or authentication will fail.
- In theUser Namefield, type the name for this user.
- In thePasswordandConfirm Passwordfields, type the password for this new user.You can change the password any time.
- To associate this user with an existing user group, select the group from theUser Groupslist.You aren't required to associate a user group at this point; you can do that later if you want. If you want to associate another user group with this user, click+.
- For theRolessetting, from theAvailablelist, select each user role you want to associate with this user, and move it to theSelectedlist.Be sure to let your users know that their access to certain parts of the BIG-IQ user interface depends on which role they are assigned.
- At the top of the screen, clickSystem.
This user now has the privileges
associated with the role(s) you selected and BIG-IQ will authenticate this user
using the authentication method you have configured.
You can now tell this user how their
BIG-IQ access aligns with their responsibilities. Make sure they understand they might
not see every screen you or one of their peers does. Also let them know that if they try
to log in more than 5 times in 5 minutes with the wrong user name and/or password, they
might get the following error:
Maximum number of login attempts exceeded.
If that happens, the user must wait 5 minutes before trying to log back in.If your BIG-IQ is in an HA pair, you
must synchronize this change by refreshing the secondary
BIG-IQ.
Custom roles based on job responsibilities
BIG-IQ Centralized Management makes it easy for you to give users specific permissions for access only to those BIG-IP objects they need to do their job. Role-based access allows you to create a custom role with specific privileges to view or edit only those BIG-IP objects (resources) you explicitly assign to the role.
There are several built-in roles shipped with BIG-IQ, but there might be a reason you want to give a person permissions to interact only in a clearly defined way with specific resources. To do that, you need to add each of the following to BIG-IQ:
- Custom role type - Select one or more services and define a set of permissions (read, add, edit, delete) for interacting with the objects associated with selected services.
- Custom resource group - Select the specific type of resources you want to provide a user access to—for example, BIG-IP virtual servers.
- Custom role - Associate this custom role with the custom role type and resource group you created, to combine the permissions you specified in the custom role type with the resources you defined for the custom resource group.
- Custom user - Associate this user with the custom role you created to provide that person access and permissions to the resources you specified.
Create a custom role type with permissions to specific BIG-IP
object types
Creating a custom role type is the first step
to providing custom role-based access to users.
- At the top of the screen, clickSystem.
- On the left, click.
- In theNamefield, type a name to identify this new role type.A description is optional.
- From theServiceslist, select each service you want to associate with this role type, then scroll through theObject Typelist and select the check box next to each object type you want to provide access to.You might have to horizontally re-size your screen so you can see all the objects you need to see.
- After you've finished adding objects, for each object type, select the check box beneath the permissions you want to grant for this role type.
- Click theSave & Closebutton.
Create a custom resource group
Create a resource group with all of the
BIG-IP objects you want to provide access to, and assign a role type to it.
- At the top of the screen, clickSystem.
- On the left, click.
- In theNamefield, type a name to identify this group of resources.
- From theRole Typelist, select the role type you want to provide access to for this group of resources.
- From theSelect Servicelist, select the service(s) you want to provide access to for this group of resources.
- From theObject Typelist, select the type of object you want to add to this group of resources.
- For theSourcesetting:
- Selected Instances- Select this option to put only the source objects you selected into this resource group. If you select this option, the associated role will not have access to any new objects of the same type added in the future unless you explicitly add it to this resource group.
- Any Instances- Select this option if you want to add any objects of the same type created in the future to this resources group. If you select this option, any new object of the same type added in the future will be assigned to this resource group, and access to those new resources will automatically be given to the associated role type.
- Select the check box next to the name of each object you want to add to this group of resources, and click theAdd Selectedbutton.You might have to horizontally re-size your screen so you can see all the objects you need to see.
- Click theSave & Closebutton.
Now you can associate this role type and
resource group to a role.
Add new custom role
In addition to the built-in roles that ship with BIG-IQ, you can create a custom role
with specific privileges to particular areas of BIG-IQ and BIG-IP devices.
- At the top of the screen, clickSystem.
- On the left, click.
- On the left, click
- Click theAddbutton.
- In theNamefield, type a name to identify this new role.
- From theRole Typelist, select the kind of role you want to add.
- For theRole Modesetting, select an option.
- Relaxed Mode– If you select this option, the role can view and manage all objects you've given explicit permission to, and it can see (but won't be able to manage) related objects for associated services.
- Strict Mode– If you select this option, this role can view and manage only the specific objects you’ve given explicit permission to.
- Add the Resource Groups and Active Users and Groups as needed.
- To view the type of user access granted for the resource groups associated with this role, click theView Permissionsbutton.
- Click theSave & Closebutton.
Remove a BIG-IQ user from a role
If a job or responsibilities change for an employee, you can use this procedure to disassociate that BIG-IQ user from an assigned role.
- At the top of the screen, clickSystem.
- On the left, click.
- On the Users inventory list, click the name of the user.The screen refreshes to display the properties for this user.
- From theUser Roleslist, select the user role to disassociate from this user and click theX.The selected user role is removed from the list of privileges assigned to this user.
- Click theSave & Closebutton.
This user no longer has the privileges associated with the role you deleted.
Assign a new user access to the DNS operator role
To provide user access to the DNS objects on managed devices, you have a couple options.
- If you want the user to have access to all DNS objects on devices managed by this BIG-IQ, you can create a custom role for them titled DNS Operator. The following steps detail how to create this custom role.
- If you want more granular control of the access the user has, you can create a new role for them and in that role, specify precisely which objects they can access and which operations they can perform on those objects. For details about how to create this new role, refer toCreate a custom role type with permissions to specific BIG-IP object typesonsupport.f5.com.
Because this role has access only to certain areas
or screens in the BIG-IQ user interface, it's important to communicate these constraints
to the user. When you assign a role to a user, be sure you outline the responsibilities
and restrictions for their role. Clarifying this helps avoid any potential confusion.
- At the top of the screen, clickSystem.
- On the left, click.
- Click theAddbutton.
- From theAuth Providerlist, select the authentication method you want to use for this user.A user must belong to an LDAP group or have an assigned BIG-IQ role, or authentication will fail.
- In theUser Namefield, type the name for this user.
- In thePasswordandConfirm Passwordfields, type the password for this new user.You can change the password any time.
- To associate this user with an existing user group, select the group from theUser Groupslist.You aren't required to associate a user group at this point; you can do that later if you want. If you want to associate another user group with this user, click+.
- For theRolessetting, from theAvailablelist, select theDNS Operatorrole, and move it to theSelectedlist.With this access, users can make immediate changes (like enable/disable/force offline) to any DNS object that belongs to a device managed by this BIG-IQ.
- Click theSave & Closebutton.
This user now has the privileges associated with
the DNS role you selected and BIG-IQ will authenticate this user using the authentication
method you have configured.
You can now tell this user how their BIG-IQ access aligns with their responsibilities.
Make sure they understand they might not see every screen you or one of their peers does.
Also let them know that if they try to log in more than 5 times in 5 minutes with the wrong
user name and/or password, they might get the following error:
Maximum number of login attempts exceeded.
If
that happens, the user must wait 5 minutes before trying to log back in.If your BIG-IQ is in an HA pair, you must synchronize this change
by refreshing the secondary BIG-IQ.
Synchronize new users and user groups with standby BIG-IQ
You must configure two BIG-IQ Centralized Management systems in a high availability (HA) pair before you can synchronize users and user groups with a standby BIG-IQ
Users and user groups are handled differently than other data that's synchronized between BIG-IQ systems in an HA pair. For that reason, you must refresh the standby BIG-IQ system in an HA pair after you add a new user or user group. Refresh the standby BIG-IQ so new users and user groups can successfully log in to it.
- At the top of the screen, clickSystem.
- On the left, clickBIG-IQ HA.
- At the top of the screen, click theBIG-IQ HA Settingsbutton.
- Click theLog Out and Refreshbutton.
- ClickOK, thenLog Out.BIG-IQ logs you out.
You should now be able to log in to the standby BIG-IQ with the new user and/or user group you added.