Applies To:

Show Versions Show Versions

Manual Chapter: Configuring Administrative Partitions to Control User Access
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

23 
The BIG-IP® system includes a powerful authorization feature known as administrative partitions. Using the administrative partitions feature, you ensure that BIG-IP system grants administrative users exactly the right type and amount of access to BIG-IP system resources. As a result, you can tailor user access to resources to exactly fit the needs of your organization.
Partitions
Partitions represent containers for BIG-IP system objects. You can use partitions to limit user access to certain objects. For more information on partitions, see the TMOSTM Management Guide for BIG-IP Systems.
User accounts
User accounts grant administrative access to the BIG-IP system. The properties that you set on a user account determine that users permissions for administering BIG-IP system resources. For more information on user accounts, see the TMOSTM Management Guide for BIG-IP Systems.
User roles
One of the properties that you set on a user account is the user role. A user role determines that users permissions, that is, the specific objects that the user can access and the tasks that the user can perform. The user roles that you can assign to a user account are: Administrator, Resource Administrator, User Manager, Manager, Application Editor, Application Security Policy Editor, Operator, or Guest.You can also specify that a user account has no access to system resources. For descriptions of these user roles, see the TMOSTM Management Guide for BIG-IP Systems.
BIG-IP system objects
BIG-IP system objects are the entities that you can manage on the BIG-IP system. Examples of objects that you can place into partitions are pools, virtual servers, and profiles. When objects reside in partitions, you can control the type and amount of administrative user access to those objects. Most local traffic objects, as well as user accounts, can reside in partitions. For descriptions of local traffic objects, see the Configuration Guide for BIG-IP® Local Traffic Manager.
By combining all of these components, you can finely-tune administrative access to many of your BIG-IP system resources. This chapter describes the procedure for configuring the administration partitions feature on the BIG-IP system.
When you first install the BIG-IP system, a default partition exists, known as partition Common. Partition Common contains certain objects that the system automatically creates during installation, such as the admin user account, the default profiles, and the pre-configured health and performance monitors.
Some types of BIG-IP system objects reside in partitions, while others do not. In general, most local-traffic objects reside in partitions. Network objects, such as self IP addresses, VLANs, interfaces, and so on, cannot reside in partitions.
At a minimum, most BIG-IP system user accounts have Read access to objects in partition Common, regardless of their user roles. User accounts that have the Administrator and Resource Administrator roles assigned to them not only can view the objects in Common, but also can create, modify, and delete objects in that partition.
While managing partition Common is useful as a starting point for controlling user access to BIG-IP system objects, creating other partitions offers a much finer degree of access control for administrative users.
The first step in giving a user the authority to manage objects in a specific partition is to create the partition. Once you have created the partition, you choose the user that you want to manage the objects in the new partition. Finally, you modify the properties of that users account, to assign both the appropriate user role and the partition that you want to authorize the user to manage. Once you have granted authority to the user to manage the partition, the user can then manage those objects in certain ways, such as creating HTTP virtual servers and profiles, within that partition.
Important: To create a partition, you must have the Administrator or Resource Administrator user role assigned to your user account. For the admin account, the BIG-IP system automatically assigns the Administrator role.
1.
On the main tab of the navigation pane, expand System, and click Users,
The Users screen opens.
2.
On the menu bar, click Partitions List.
This displays the list of partitions that you are allowed to view.
4.
In the Name box, type a unique name for the partition, such as partition_App1.
5.
In the Description box, type a description of the partition, for example, This partition contains objects for managing traffic for the App1 application.
6.
Click Create.
The next step, after you create the partition, is to assign a user role to a user account and give that user authority to manage the new partition. The level of authority that the user has is determined by the user role you assign to the user account. For example:
If you assign a user role of Manager to the user account, the user can perform all tasks related to the objects (except user account objects) in the relevant partition, such as creating, modifying, or deleting those objects.
If you assign a user role of Operator to the account, the user is restricted to enabling and disabling the nodes and pool members that reside in the assigned partition.
If you assign a user role of Guest to the account, the user can only view the objects in the partition. The user cannot create, modify, or delete any objects in the assigned partition.
You can configure user access to a partition either when you first create the user account or when you modify the user account properties. The following procedure shows how to configure partition access to an existing user account.
Note: This procedure pertains to local user accounts only. For information on configuring partition access to remote user accounts, see the TMOSTM Management Guide for BIG-IP® Systems.
1.
On the Main tab of the navigation pane, expand System, and click Users.
The User List screen opens.
2.
In the Name column, click the user account name.
The properties screen for that user account opens.
3.
To grant an access level other than No Access, use the Role setting and select a user role.
4.
From the Partition Access list, select a partition name.
You can select a single partition name, or All.
Note: For user accounts to which you assign the Administrator role, this value is automatically set to All.
5.
Click Finished.
It is important to understand what happens when an administrative user logs into the BIG-IP system and attempts to view, manage, or create BIG-IP system objects.
Once you have assigned user roles and partitions to user accounts, the users see only those objects on the BIG-IP system to which they have been granted access. They can view only those objects, and no others.
For example, suppose user Jane Smith logs into the system with her user account (jsmith), and she has the role of Manager and is authorized to manage partition A. In this case, she sees and can manage all objects contained in partition A (excluding user account objects), and she can see objects in partition Common. She has no access to other objects on the system.
For example, if she uses the Configuration utility to view a list of virtual servers on the system, she sees and can manage virtual servers contained in partition A, and she can see any virtual servers in partition Common (if any).
Similarly, if she views the list of pools, she sees and can manage those pools contained in partition A, and she can see any pools in partition Common (if any), and so on. She has no access (either Read or Write access) to objects in other partitions.
By contrast, a user with a role such as Administrator can see and manage all objects on the system, regardless of the partition in which the objects reside. Users with this type of role can also actively select a specific partition to view and manage.
When a BIG-IP system user has a user role that grants the authority to create objects on the BIG-IP system in a specific partition, the object that the user creates automatically resides in the partition that the user is authorized to manage.
For example, suppose that Barry Jones has the user account bjones, and this user account is authorized to manage partition B. When Barry logs into the BIG-IP system using the bjones account, any object that he creates automatically resides in partition B.
Conversely, if a user with a role that does not allow object creation (such as the Operator role) is logged into the system, no Create buttons appear on the Configuration utility screens.
If the logged-in user has universal access (such as a user with the Administrator role), the user can actively select the partition in which to view, manage, or create a BIG-IP system object.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)