F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IQ Centralized Management
  4. F5 BIG-IQ Centralized Management: Authentication, Roles, and User Management
  5. Limit a users access to BIG-IP devices based on a their role
Manual Chapter : Limit a users access to BIG-IP devices based on a their role

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.4.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

BIG-IQ® Centralized Management gives you the tools you need to customize user access to managed devices by letting you assign role-based access based on job responsibilities. When you associate a role with a user (or a group of users), they have access only to the areas within BIG-IQ that you explicitly grant.

Assigning more than one role to a user

The responsibilities and roles each of your users has probably depends on the number of people who have access to BIG-IQ.

For example, if you have only two people managing your devices from BIG-IQ, they both most likely need to have full access to all aspects of BIG-IQ at one time or another. For these users, you'd assign them both the Administrator role.

Assigning more granular/specialized privileges to a user

On the other hand, if you're working for a larger company that has specialized roles to manage different services, or different parts of services, you can provide more granular access.

For example, if you have two people who manage BIG-IP devices used only for network security purposes, you could assign them both the role of Network Security Manager. Or, if you have two people managing devices used for network security, but you want only one of them to write and edit policies, and the other to (only) deploy the policies, you could assign the first person the Network Security Editor role, and the other person the Network Security Deployer role. In this case, the person with the Network Security Editor role can only create, view, and edit policies, but not deploy them. The person assigned to the Network Security Deployer can view and deploy policies, but cannot create or edit them.

About built-in and custom roles

You can assign role-based user access one of two ways:

  • Built-in user roles - BIG-IQ ships with several built-in user roles that correlate to common job responsibilities. This makes it easy for you to quickly assign users with permissions to access the BIG-IP objects they need to do their job.
  • Custom user roles - allow you to grant access to users at a granular level in a way that fits your business needs. You can provide specific permissions to as many BIG-IP objects as needed, even across multiple services.

Built-in roles/role types shipped with BIG-IQ

As a system manager, you'll need a way to limit a user's access to certain areas of F5® BIG-IQ® Centralized Management and to its managed devices. The easiest way to do this is to base user access on the responsibilities, or role, the user has in your company. To help you do that, BIG-IQ ships with a set of built-in roles (associated with a role type) with certain privileges that you can assign to specific users. Since responsibilities and duties for certain roles are specialized, users assigned to some roles have access to only specific parts of BIG-IQ. These restrictions are outlined in the role description.

Role This role can:
Administrator Perform all tasks for setting up and maintaining BIG-IQ and managing devices. This includes discovering devices, adding individual users, assigning roles, installing updates, activating licenses, and so forth.
Access Auditor Only view Access configuration objects and managed Access devices. This role cannot edit, discover, or deploy devices or policies.
Access Deployer Deploy Access configuration objects. This role cannot discover and edit devices or policies.
Access Editor View and edit Access configuration objects, including the ability to add, update, and delete pools and pool members from the Access configuration object editor. This role cannot discover or deploy devices or policies.
Access Manager Deploy and edit Access configuration objects, and view the Access Reporting and dashboard. This role cannot add or remove devices and device groups, and cannot discover, import, or delete services.
Access Viewer Only view Access configuration objects and discovered Access devices. This role cannot edit, discover, or deploy devices or policies.
Application Editor View Local Traffic & Network objects and create, view, and modify applications via Service Catalog templates.
Device Manager Perform all tasks for device management, including device discovery, licensing, software image management, and UCS backups.
Device Viewer Only view aspects of device management including device discovery, licensing, software image management, and UCS backups.
DNS Viewer Only view aspects of device management associated with DNS.
Fraud Protection Manager Perform all tasks for managing the Fraud Protection Service functionality.
Fraud Protection Viewer Only view Fraud Protection Service objects.
License Manager Perform all tasks related to BIG-IP licensing.
Local Traffic & Network Deployer View and deploy Local Traffic & Network configuration objects for managed Local Traffic & Network devices.
Local Traffic & Network Editor Create, view, modify, and delete Local Traffic & Network configuration objects.
Local Traffic & Network Manager Perform all tasks for managing Local Traffic & Network, including creating, viewing, modifying, and deleting Local Traffic & Network objects.
Local Traffic & Network Viewer Only view Local Traffic & Network objects.
Network Security Deployer View and deploy Network Security objects.
Network Security Editor Create, view, modify, and delete Network Security objects.
Network Security Manager Perform all tasks associated with Network Security, including areas involved in creating, viewing, modifying, and deleting shared and firewall-specific security objects.
Network Security Viewer Only view Network Security firewall objects. This role cannot edit, discover, or deploy devices or policies.
Pool Member Operator Enable, disable, or force offline pool members for all pools. To limit access to select pools, create a custom resource group and role based on the Pool Member Operator type.
Security Manager Perform all tasks associated with Network Security, Web Application Security, and Fraud Protection Service, including areas involved in device discovery, creating, viewing, modifying, and deleting Web Application Security, shared and firewall-specific security objects.
Service Catalog Editor View Local Traffic & Network objects and create, view, modify, and delete Service Catalog templates.
Service Catalog Viewer Only view Local Traffic & Network objects and Service Catalog templates.
Trust Discovery Import Manage device trust establishment, service discovery, service import, removal of services and removal of trust.
Virtual Server Operator Enable or disable all virtual servers. To limit access to select virtual servers, create a custom resource and role based on the Virtual Server Operator role type.
Web App Security Deployer View and deploy Web Application Security and shared security configuration objects for Web Application Security devices.
Web App Security Editor Create, view, modify, and delete Web Application Security and shared security configuration objects.
Web App Security Manager Create, view, modify, delete and deploy Web Application Security and shared security configuration objects.
Web App Security Viewer Only view Web Application Security and shared security configuration objects.

Add a user and assign them a built-in role

If you want to authentication users with an LDAP, RADIUS, or TACAS+ server, you must first configure that before adding a user.
Once you understand exactly who you want to perform certain tasks, you can provide them access to particular areas of F5® BIG-IQ® Centralized Management by adding them as a user and assigning the appropriate standardized role. You can assign as many roles as required to cover the user's responsibilities.
Important: Since some roles have access only to certain areas or screens in the BIG-IQ user interface, it's important to communicate that to the user. When you assign a role to a user, be sure you outline the responsibilities and restrictions for their role. Clarifying this helps avoid any potential confusion. Also note,these roles do not have access to the global search functionality: Network Security Manager, Network Security Edit, Network Security View, and Trust Discovery Import.
  1. At the top of the screen, click System.
  2. On the left, click USER MANAGEMENT > Users .
  3. Click the Add button.
  4. From the Auth Provider list, select the authentication method you want to use for this user.
    Important: A user must belong to a group or have an assigned role, or authentication will fail.
  5. In the User Name field, type the user name for this new user.
  6. In the Full Name field, type a name to identify this user.
    The full name can contain a combination of symbols, letters, numbers and spaces.
  7. In the Password and Confirm Password fields, type the password for this new locally-authenticated user.
    You can change the password any time.
  8. To associate this user with an existing user group, select the group from the User Groups list.
    You aren't required to associate a user group at this point; you can do that later if you want. If you want to associate another user group with this user, click +.
  9. From the Available list, select each user role you want to associate it with this user, and move it to the Selected list.
    Important: Be sure to let your users know that their access to certain parts of the BIG-IQ user interface depends on which role they are assigned.
  10. Click the Save & Close button at the bottom of the screen.
This user now has the privileges associated with the role(s) you selected and BIG-IQ will authenticate this user locally
You can now tell this user how their BIG-IQ access aligns with their responsibilities. Make sure they understand they might not see every screen you or one of their peers does. Also let them know that if they try to log in more than 5 times in 5 minutes with the wrong user name and/or password, they might get the following error: Maximum number of login attempts exceeded. If that happens, the user must wait 5 minutes before trying to log back in.
Note: If your BIG-IQ is in an HA pair, you must synchronize this change by refreshing the secondary BIG-IQ.

Custom roles based on job responsibilities

Here is an overview of the different concepts you need to understand when creating custom roles based on job responsibilities.

BIG-IQ® Centralized Management makes it easy for you to give users specific permissions for access only to those BIG-IP® objects they need to do their job. Role-based access allows you to create a custom role with specific privileges to view or edit only those BIG-IP objects (resources) you explicitly assign to the role.

There are several built-in roles shipped with BIG-IQ, but there might be a reason you want to give a person permissions to interact only in a clearly defined way with specific resources. To do that, you need to add each of the following to BIG-IQ:

  1. Custom role type - Select a one or more services and define a set of permissions (read, add, edit, delete) for interacting with the objects associated with selected services.
  2. Custom resource group - Select the specific type of resources you want to provide a user access to—for example, BIG-IP virtual servers.
  3. Custom role - Associate this custom role with the custom role type and resource group you created, to combine the permissions you specified in the custom role type with the resources you defined for the custom resource group.
  4. Custom user - Associate this user with the custom role you created to provide that person access and permissions to the resources you specified.

Create a custom role type to give permissions to BIG-IP object types

Creating a custom role type is the first step to providing custom role-based access to users.
  1. At the top of the screen, click System.
  2. On the left, click ROLE MANAGEMENT > Custom Role Types .
  3. Near the top of the screen, click the Add button.
  4. In the Name field, type a name to identify this new role type.
    A description is optional.
  5. From the Services list, select each service you want to associate with this role type, then scroll through the Object Type list and select the check box next to each object type you want to provide access to.
    Important: As you know, interactions and relationships between resource objects in your network can be complex. Because of that, it's best to leave all of these object types selected. This ensures you don't unintentionally limit this role type's ability to manage all of the objects they need to, for them to do their job.
  6. After you've finished adding objects types, for each object type, select the check box beneath the permissions you want to grant for this role type.
  7. Click the Save & Close button at the bottom of the screen.

Create a resource group and associate it with a role type

Create a resource group with all of the BIG-IP objects you want to provide access to, and assign a role type to it.
  1. At the top of the screen, click System.
  2. On the left, click ROLE MANAGEMENT > Custom Resource Groups .
  3. Near the top of the screen, click the Add button.
  4. In the Name field, type a name to identify this group of resources.
  5. From the Role Type list, select the role type you want to provide access to for this group of resources.
  6. From the Select Service list, select the service(s) you want to provide access to for this group of resources.
  7. From the Object Type list, select the type of object you want to add to this group of resources.
  8. For the Source setting:
    • Selected Instances - Select this option to put only the source objects you selected into this resource group. If you select this option, the associated role will not have access to any new objects of the same type added in the future unless you explicitly add it to this resource group.
    • Any Instance - Select this option if you want the associated role to have any instance of the specified object type, including future instances (newly configured objects of this type).
  9. Select the check box next to the name of each object you want to add to this group of resources, and click the Add Selected button.
  10. Click the Save & Close button.
Now you can associate this role type and resource group to a role.

Add new custom role

In addition to the built-in roles that ship with BIG-IQ, you can create a custom role with specific privileges to particular areas of BIG-IQ and BIG-IP devices.

  1. At the top of the screen, click System.
  2. On the left, click ROLE MANAGEMENT > Roles .
  3. Click the Add button.
  4. In the Name field, type a name to identify this new role.
  5. From the Role Type list, select the kind of role you want to add.

    You might have to resize the bottom half of the screen to see all of the following options.

  6. For the Role Mode setting, select an option.
    • Relaxed Mode – If you select this option, the role can view and manage all objects you've given explicit permission to, and it can see (but won't be able to manage) related objects for associated services.
    • Strict Mode – If you select this option, this role can view and manage only the specific objects you’ve given explicit permission to.
    Tip: It's a good idea to leave this in Relaxed Mode so you don't unintentionally limit an associated user's ability to see related objects.
  7. To view the type of user access granted for the resource groups associated with this role, click the View Permissions button.
  8. Click the Save & Close button at the bottom of the screen.

Add a user to a custom role

Add a user to a custom role to give them specific permissions to a resource group.
  1. On the left, click USER MANAGEMENT > Users .
  2. Click the Add button.
  3. From the Auth Provider list, select the authentication method you want to use for this user.
    Important: A user must belong to a group or have an assigned role, or authentication will fail.
  4. In the User Name field, type the user name for this new user.
  5. In the Full Name field, type a name to identify this user.
    The full name can contain a combination of symbols, letters, numbers and spaces.
  6. In the Password and Confirm Password fields, type the password for this new locally-authenticated user.
    You can change the password any time.
  7. To associate this user with an existing user group, select the group from the User Groups list.
    You aren't required to associate a user group at this point; you can do that later if you want. If you want to associate another user group with this user, click +.
  8. From the Available list, select each user role you want to associate it with this user, and move it to the Selected list.
    Important: Be sure to let your users know that their access to certain parts of the BIG-IQ user interface depends on which role they are assigned.
  9. Click the Close button.
These users now have the privileges associated with the role(s) you selected.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information