Applies To:
Show VersionsBIG-IQ Centralized Management
- 5.2.0
How do I limit privileges for users based on their role in the company?
F5® BIG-IQ® Centralized Management provides you the tools you need to customize user access to your managed devices, and to BIG-IQ itself, through the use of role-based privileges. These privileges are based on the responsibilities of your users.
This type of role-specific access also provides you insight into your work flows. You can easily see which user interacted with any given service, and what the interaction was. This can help you quickly troubleshoot any introduced conflicts.
You can set up BIG-IQ to authorize users, giving them access only to the specific information, using these methods:
- Local authorization - for this option, BIG-IQ authenticates users.
- External authorization - for this option, you can configure BIG-IQ to use your LDAP or RADIUS server to authenticate users.
Assigning more than one role to a user
The responsibilities and roles each of your users has probably depend on the number of people who have access to BIG-IQ.
For example, if you have only two people managing your devices from BIG-IQ, they both most likely need to have full access to all aspects of BIG-IQ at one time or another. For these users, you'd assign them both the Administrator role.
Assigning more granular/specialized privileges to a user
On the other hand, if you're working for a larger company that has specialized roles to manage different services, or different parts of services, you can provide more granular access. For example, if you have two people who manage BIG-IP devices used only for network security purposes, you could assign them both the role of Network Security Manager. Or, if you have two people managing devices used for network security, but you want only one of them to write and edit policies, and the other to (only) deploy the policies, you could assign the first person the Network Security Editor role, and the other person the Network Security Deploy role. In this case, the Network Security Editor can only create, view, and edit policies, but not deploy them. The Network Security Deploy person can view and deploy policies, but cannot create or edit them.
Standard roles shipped with BIG-IQ
As a system manager, you'll need a way to limit a user's access to certain areas of F5® BIG-IQ® Centralized Management and to its managed devices. The easiest way to do this is to base user access on the responsibilities, or role, the user has in your company. To help you do that, BIG-IQ ships with a set of default roles with certain privileges that you can assign to specific users. Since responsibilities and duties for certain roles are specialized, users assigned to some roles have access to only specific parts of BIG-IQ. These restrictions are outlined in the role description.
Role | This role can: |
---|---|
Administrator | Perform all tasks for setting up and maintaining BIG-IQ and managing devices. This includes discovering devices, adding individual users, assigning roles, installing updates, activating licenses, and so forth. |
ADC Deployer | View and deploy ADC configuration objects for managed ADC devices. |
ADC Editor | Create and edit all ADC configuration objects. |
ADC Manager | Perform all tasks for managing ADC, including creating, viewing, modifying, and deleting Local Traffic and Network objects. |
ADC Viewer | Only view all ADC objects and features. |
Access Auditor | Only view Access configuration objects and managed Access devices. This role cannot edit, discover, or deploy devices or policies. |
Access Deployer | Deploy Access configuration objects. This role cannot discover and edit devices or policies. |
Access Editor | View and edit Access configuration objects, including the ability to add, update, and delete pools and pool members from the Access configuration object editor. This role cannot discover or deploy devices or policies. |
Access Manager | Deploy and edit Access configuration objects, and view the Access Reporting and dashboard. This role cannot add or remove devices and device groups, and cannot discover, import, or delete services. |
Access Viewer | Only view Access configuration objects and discovered Access devices. This role cannot edit, discover, or deploy devices or policies. |
Device Manager | Perform all tasks for device management, including device discovery, licensing, software image management, UCS backups, templates, self IP addresses, VLANs, interfaces, and so forth. |
Device Viewer | Only view aspects of device management including areas involved in device discovery, group creation, licensing, software image management, UCS backups, templates, self IP addresses, VLANs, interfaces, and so forth. |
DNS Viewer | Only view aspects of device management associated with DNS. |
Fraud Protection Manager | Perform all tasks for managing the Fraud Protection Service Fraud Protection Service functionality. |
Fraud Protection View | Only view Fraud Protection Service Fraud Protection Service objects. |
Network Security Deploy | View and deploy Network Security objects. |
Network Security Manager | Perform all tasks associated with Network Security, including areas involved in creating, viewing, modifying, and deleting shared and firewall-specific security objects. This role does not have access to the global search functionality. |
Network Security Edit | Create, view, modify, and delete Network Security objects. This role does not have access to the global search functionality. |
Network Security View | Only view Network Security firewall objects. This role cannot edit, discover, or deploy devices or policies. This role does not have access to the global search functionality. |
Security Manager | Perform all tasks associated with Network Security, Web Application Security, and Fraud Protection Service, including areas involved in device discovery, creating, viewing, modifying, and deleting Web Application Security, shared and firewall-specific security objects. |
Trust Discovery Import | Manage device trust establishment, service discovery, service import, removal of services and removal of trust. This role does not have access to the global search functionality. |
Web App Security Deployer | View and deploy ASM configuration objects for managed ASM devices. |
Web App Security Editor | Create, view, modify, and delete ASM configuration objects. |
Web App Security Manager | View and edit all aspects of Web Application Security, including areas involved in creating, viewing, modifying, and deleting shared and web application-specific security objects. |
Web App Security Viewer | Only view ASM configuration objects. |
Add a user and assign them a role
Synchronize new users and user groups with secondary BIG-IQ
Adding a new Pool Member Operator or Virtual Server Operator role
In addition to the standard roles that ship with BIG-IQ®, there are some roles specific only to ADC and device management that you can add to your available options. These roles are:
- Pool Member Operator - This role has access to enable, disable, or force offline pool members on pools to which the administrator has granted them access.
- Virtual Server Operator - This role has access to enable or disable virtual servers to which the administrator has assigned them access.
- At the top of the screen, click System.
- On the left, click .
- Click the Add button.
- In the Name field, type a name to identify this new role.
- From the Role Type list, select the kind of role you want to add.
- From the Active Users and Groups list, select the user or group you want to associate with this new role.
- Click the + sign if you want this role to have access to another user or group, and select the device group from the list.
- Click the Save & Close button at the bottom of the screen.
Change your BIG-IQ user password
- At the top of the screen, click System.
- On the left, click .
- Click your user name.
- In the Old Password field, type the password.
- In the Password and Confirm Password fields, type a new password.
- Click the Save & Close button at the bottom of the screen.
Remove a BIG-IQ user from a role
Use my LDAP server to authenticate BIG-IQ users
F5® BIG-IQ® Centralized Management can verify user credentials against your company's LDAP server (LDAP server versions 2 and 3, and OpenLDAP directory, Apache Directory Server, and Active Directory). After you set up BIG-IQ to use your LDAP server, you can add users and user groups that authenticated by your LDAP server.
Before integrating BIG-IQ with your LDAP server for authentication
Before integrating LDAP authentication with the F5® BIG-IQ® Centralized Management system, you must complete these tasks.
Task | Notes | For my LDAP server |
---|---|---|
Use an LDAP browser to review the groups and users in your directory's structure and determine where they are located in the organizational units (OUs). Then, decide how you want to map those names. | There are two ways you can do this. The first option is to map users directly to their Distinguished Name (DN) in the directory with a user bind template in the form of uid=<username>, ou=people, o=sevenSeas. For example, you'd map John Smith's user name to his DN as uid=<jsmith>, ou=people, o=sevenSeas and he would log in as jsmith and would be correctly authenticated with his user name in the directory through his DN. | |
The second option is to allow users to log in with names that do not map directly to their DN by specifying a userSearchFilter in the form of (&(uid=%s)) when creating the provider. For example, if John Smith's DN is cn=John Smith,ou=people,o=sevenSeas, but you would like him to be able to log in with jsmith, specify a userSearchFilter in the form of (&(jsmith=%s)). If your directory does not allow anonymous binds, you must also specify a bindUser and bindPassword so that the BIG-IQ system can validate the user's credentials. | ||
Decide which groups in your directory to map with BIG-IQ groups. | If you configured a bindUser and bindPassword for users, the BIG-IQ system displays a list of groups from which to choose. | |
If you haven't configured this for your users, you must know the DN for each group. | ||
Find out the DN where you can for all users and groups. | This is the root bind DN for your directory, defined as rootDN, when you create a provider. The BIG-IQ system uses the root bind DN as a starting point when it searches for users and groups. | |
Find the host IP address for the LDAP server. | The default port is 389, if not specified otherwise. |
Set up BIG-IQ to use your LDAP server for user authentication
You can configure BIG-IQ to use one or more of your company's LDAP server(s) to authenticate users.
Use my RADIUS server to authenticate and authorize BIG-IQ users
F5® BIG-IQ® Centralized Management can verify user credentials against your company's RADIUS server. After you set up BIG-IQ to use your RADIUS server, you can add users and user groups authorized by that server.
Before integrating BIG-IQ with your RADIUS server for authentication and authorization
Before integrating RADIUS authentication and authorization with BIG-IQ® Centralized Management, you must collect the following information from your RADIUS server.
Required Information | This is | For my RADIUS server |
---|---|---|
Name | The name of your RADIUS server. | |
Host | The IP address or host name of your RADIUS server. | |
Port | The port number of your RADIUS server. | |
Secret | The case-sensitive text string used to validate communication. | |
Test user name and password | A user name and password, authenticated on your RADIUS server. | |
Key and Value properties for your RADIUS server | The RADIUS server uses this for authentication and encryption. |
Set up BIG-IQ to use my RADIUS server for user authentication
You can set up BIG-IQ to use your company's RADIUS server. You can add two additional backup RADIUS servers in case the primary server is not available for authentication.
Pre-defined RADIUS groups for authentication
Some RADIUS deployments include non-standard, vendor-specific attributes in the dictionary files. For these deployments, you must update the BIG-IQ system's default dictionary. Follow these steps if you want to use pre-defined RADIUS user groups on BIG-IQ.
- Copy the TinyRadius .jar file from the BIG-IQ system.
- Extract the contents of the TinyRadius .jar file.
- Update the file org/tinyradius/dictionary/default_dictionary file, by adding the vendor-specific attributes.
- Repack the contents into a new .jar file.
- Replace the old TinyRadius .jar on each BIG-IQ system with the new TinyRadius .jar file you created in step 4.
For example:
Create a user group authorized by your RADIUS server
Create a user group to offer individual users the same privileges on F5® BIG-IQ® Centralized Management. This user group will be authorized by your RADIUS server.