Applies To:
Show VersionsBIG-IP AAM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
BIG-IP APM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
BIG-IP GTM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
BIG-IP Analytics
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
BIG-IP Link Controller
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
BIG-IP LTM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
BIG-IP PEM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
BIG-IP AFM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
BIG-IP ASM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Administrative Partitions
What is an administrative partition?
An administrative partition is a logical container that you create, containing a defined set of BIG-IP® system objects. If you have the Administrator or User Manager user role assigned to your BIG-IP system user account, you can create administrative partitions to control other users’ access to BIG-IP objects. More specifically, when a specific set of objects resides in a partition, you can give certain users the authority to view and manage the objects in that partition only, rather than to all objects on the BIG-IP system. This gives a finer granularity of administrative control. For example, a user that is assigned access to partition A with the role of Operator on that partition can mark nodes up or down, but only in that partition. You assign user access to partitions when you configure BIG-IP system user accounts.
The following illustration shows an example of user objects within partitions on the BIG-IP system.
Sample administrative partitions on the BIG-IP system
For every administrative partition on the BIG-IP system, the system creates an equivalent high-level folder with an equivalent name.
Creating an administrative partition
You perform this task to create an administrative partition. An administrative partition creates an access control boundary for users and applications.
Relationship of partitions to user accounts
Partitions have a special relationship to user accounts. With respect to partitions and user accounts, you can:
- Assign partition access to user accounts
- You can configure a user account to grant the user access to one or more partitions, and you can assign a different user role to a user for each partition. Moreover, you can grant an individual user access to all partitions instead of to specific partitions only. Note that assigning partition access to a user does not necessarily give the user full access to all objects in the partition; the user role assigned to the user determines the type of access that the user has to each type of object in the partition.
- Create user accounts as partitioned objects
- Like other types of objects on the system, user account objects also reside in partitions.
Placing user account objects into partitions controls other users’ administrative access
to those user accounts. Also, like other object types, a BIG-IP®
system user account cannot reside in more than one partition simultaneously. When you
first install the BIG-IP system, every existing user account (root
and admin) resides in partition Common.Important: The partition in which a user account object resides does not affect the partition or partitions to which that user is granted access to manage other BIG-IP objects.
About partition Common
During BIG-IP® system installation, the system automatically creates a partition named Common. At a minimum, this partition contains all of the BIG-IP objects that the system creates as part of the installation process. Until you create other partitions on the system, all objects that you or other users create or manage automatically reside in partition Common.
With respect to permissions, all users on the system except those with a user role of No Access have read access to objects in partition Common. When a user displays a list of a particular type of configuration object, the system displays not only the objects of that type within the user's current partition, but also the same type of object in Common. For example, if a user lists all virtual servers within the user's current partition (such as partition A), the list also shows the virtual servers in Common. In this case, unless the user has write access to Common, the virtual servers in Common are read-only for that user.
Some users, such as those with the user role of Administrator, can also create, update, and delete objects in partition Common. No user can delete partition Common itself.
About the current partition
The current partition is the specific partition to which the system is currently set for a logged-in user.
A user who has been granted access to one or more partitions, as well as all partitions, can actively select the current partition, that is, the specific partition he or she wants to view or manage. For example:
- If user jsmith has access to multiple partitions on the system, then before creating or managing any object on the BIG-IP® system, she must select the partition that she wants to be the current partition. After setting the current partition, any object that she creates resides in that partition, and she can modify or delete only the objects that reside in that partition until she sets the current partition to a different partition. Also, regardless of the current partition that jsmith selects, she also has read access to objects in partition Common.
- Conversely, if user rjones has access to partition A only, then any object that he creates while logged in to the BIG-IP system resides in partition A. Although he can view objects in partition Common, he cannot select Common as his current partition because he has read access only. For user rjones, partition A is automatically his current partition when he logs in to the system, and he cannot change the current partition to create objects in another partition.
Setting the current partition
- Access the BIG-IP ®Configuration utility.
- Locate the Partition list in the upper right corner of the BIG-IP Configuration utility screen, to the left of the Log out button.
- From the Partition list, select the partition in which you want to create or manage objects.
Object referencing between partitions
Certain BIG-IP® system objects, such as virtual servers, can reference other objects. Examples of objects that a virtual server can reference are pools, profiles, and iRules®. On the BIG-IP system, there are rules for object referencing with respect to the administrative partitions in which those objects reside.
Valid object referencing
The rules for valid object referencing are:
- An object and the object that it references can reside in the same partition.
- An object can reside in a user-created partition, such as partition A, while the object it references resides in partition Common.
- An iRule can reference any object, regardless of the partition in which the referenced object resides. For example, an iRule that resides in partition A can contain a pool statement that specifies a pool residing in partition B. Neither object is required to reside in Common.
Invalid object referencing
Object referencing is restricted in these ways:
- An object cannot reside in partition Common, while the object that it references resides in a different partition. For example, you cannot have a virtual server residing in Common while the pool that the virtual server references resides in partition A.
- An object cannot reside in one user-created partition, while the object that it references resides in another user-created partition. For example, you cannot have a virtual server residing in A while the pool that the virtual server references resides in partition B.