F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. Enterprise Manager
  4. Enterprise Manager: Getting Started Guide
  5. Managing User Roles and User Accounts
Manual Chapter : Managing User Roles and User Accounts

Applies To:

Show Versions Show Versions

Enterprise Manager

  • 3.1.1
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

About authentication and permissions for Enterprise Manager user roles

A user role specifies the type of management tasks that an Enterprise Manager user can perform on managed devices in your network. Permissions for user roles are classified as either non-restricted or restricted. The user roles are defined as:

Administrator
This (non-restricted) role can perform all management functions available to Enterprise Manager, including managing other user accounts and roles.
Operator and Application Editor
By default, these (restricted) roles perform fewer management tasks than the Administrator. You can customize each role by specifying the tasks that the role is allowed to perform.

Users are authenticated through Enterprise Manager's local database.

User role permissions and management tasks

There are eight different types of permissions that you can specify for each restricted user role. You can specify any of these management task permissions to the Operator and Application Editor user roles.

Permission Management task
Manage Device Configuration Archives Create and manage UCS archives for all managed devices
Browse Device Configurations View configurations from the Enterprise Manager configuration browser
Compare Device Configuration Archives Compare UCS configuration files between two devices
Stage Changesets for Deployment from Published Templates Create a new staged changeset from a published template
Deploy Staged Changesets Deploy a staged changeset created by a user
Administer Device Lists Manage device list members
Synchronize Device Configuration with Peer Synchronize peer device configurations
Failover Devices Initiate a failover to a peer managed device

Adding new users to perform management tasks on Enterprise Manager

All users and their privileges are displayed on the User list screen.

Important: When you add users, you must use the same administrator-level user name that you currently use for managing BIG-IP devices in your network. This ensures that you can successfully manage devices as soon as Enterprise Manager discovers them and adds them to the Device List screen.
  1. In the navigation pane, click System > Users. The Users list screen opens.
  2. Click the Create button. The New User screen opens.
  3. In the User Name field, type the administrative-level user name that you are currently using to manage the BIG-IP devices in your network.
  4. In the New and Confirm fields, type the password for the user.
  5. From the Role list, select one of the following roles.
    Option Description
    Administrator Grants user complete access to all objects on the system and permission to perform configuration synchronization for a BIG-IP device service clustering configuration.
    Operator Grants user permission to enable or disable existing nodes and pool members.
    Application Editor Grants user permission to modify existing nodes, pools, pool members, and monitors.
    If you select another user role, managed devices cannot authorize the user to perform management tasks, and the user cannot initiate tasks using the Enterprise Manager system.
  6. From the Partition Access list, select an option to specify which administrative partitions the new user can access.
  7. From the Terminal Access list, select Enabled to allow the user command-line access to Enterprise Manager.
  8. Click the Repeat button to add another user, or click the Finished button to return to the User list screen.

Changing source for authenticating users

By default, Enterprise Manager uses a local database to authenticate users, but you can choose to use a remote LDAP, Active Directory, RADIUS, or TACACS+ authentication source.
  1. In the navigation pane, click System > Users. The Users list screen opens.
  2. On the menu bar, click Authentication. The Authentication screen opens.
  3. Click the Change button.
  4. From the User Directory list, select an option. The screen refreshes to display options specific to the authentication source you selected.
  5. Specify the configuration settings for the remote authentication server. Refer to the online help for information specific to each authentication setting.
  6. Click the Finished button to save your changes.

Customizing user role permissions

When you complete the initial setup tasks for Enterprise Manager , you specify a default administrator-level user account that permits you to configure and start working with the system through the web interface. You can use this procedure to customize permissions for users, defining which user role (Operator or Application Editor) can perform specific device management tasks.
  1. On the Main tab, click Enterprise Management > Access Control > Role Permissions.
  2. For each restricted user role, select or clear the check box next to the permission you want to modify.
  3. Click Apply to save your changes.

About user accounts for managed devices

Managed BIG-IP systems contain accounts that specify the authorization (level of access) for users. When you configure user account information on a BIG-IP system, you set parameters such as user names and passwords, shell access information, web interface and root access privileges, and an authentication source. You can use Enterprise Manager to view and copy account parameters from managed devices to other managed devices, as well as to modify passwords.

Viewing user accounts for managed devices

You must first discover a device before Enterprise Manager displays its user account information.
Using Enterprise Manager, you can view all managed device users and their access privileges from one central location. This eliminates the need to log on to each individual managed device for user account information.
  1. On the Main tab, click Enterprise Management > Access Control > User List.
  2. To search for a specific user, in the Search field, type all or part of the name and click Search.
  3. Click the name of a user to view the devices to which this user has access privileges.

    The screen displays the devices associated with the selected user.

Replicating user account information for managed devices

Once you configure a user account on a BIG-IP system, and Enterprise Manager has discovered that device, you can copy that configuration to other managed devices.
With the Copy User Access Configuration wizard, you can distribute a common user account configuration, or specific elements of configuration data, simultaneously to multiple devices.
  1. On the Main tab, click Enterprise Management > Tasks.
  2. Click the New Task button.
  3. For the User Access setting, select Copy User Access Configuration.
  4. Click Next.
  5. From the Source Device list, select the device from which you want to replicate user account information.
  6. For the Configuration Data setting, select the type of configuration data you want to replicate from the source device.
    • Users
    • Shell Access
    • Authentication
  7. From the Device List, you can select a group of devices to narrow the number of devices displayed.
  8. Select the check box next to each compatible device to which you want to copy the source device's configuration.
  9. Click the Next button.
  10. From the Device Users list, select an option.
    Option Description
    Add users not already present on device Adds user accounts to the destination device instead of replacing the users with those on the source device.
    Replace users on device Deletes all user accounts on the destination device and replaces them with the user accounts from the source device.
  11. From the Device Error Behavior list, select the action you want Enterprise Manager to take in the event that the task fails on one of the devices.
    • Continue task on remaining devices
    • Cancel task on remaining devices
  12. Click Next. The Task Review screen opens, and you can confirm the task details.
  13. Click the Start Task button. The Task Properties page displays the progress for the task.
Enterprise Manager copies the configuration from the source device to the selected target devices.

Changing user passwords for managed devices

Enterprise Manager increases the efficiency of managing user passwords by centralizing the password change process for your devices. This saves you time, while ensuring that when you change a password, the new password is the same for each selected device.
  1. On the Main tab, click Enterprise Management > Tasks.
  2. Click the New Task button.
  3. For the User Access setting, select Change User Password.
  4. Click Next.
  5. From the User Name list, select the user for which you want to change the password.
  6. From the Device List, you can select a group of devices to narrow the number of devices displayed.
  7. Select the check box next to each device for which you want to change the password.
  8. In the Password field, type a new password.
  9. In the Confirm field, re-type the password.
  10. Click Next.
  11. From the Device Error Behavior list, select the action you want Enterprise Manager to take in the event that the task fails on one of the devices.
    • Continue task on remaining devices
    • Cancel task on remaining devices
  12. Click Next.
  13. Click the Start Task button. The Task Properties page displays the progress for the task.
The new password you specified is now associated with the selected user.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information