Managing local user accounts refers to the tasks of creating, viewing, modifying, and deleting user accounts that reside on the BIG-IP® system.
The BIG-IP system stores local user accounts (including user names, passwords, and user roles) in a local user-account database. When a user logs into the BIG-IP system using one of these locally-stored accounts, the BIG-IP system checks the account to determine the user role assigned to that user account for each partition to which the user has access.
For example, suppose you grant local user jsmith access to partitions A and B, and in the process, assign her a role of Manager for partition A and a role of Operator for partition B. This means that user jsmith can create, modify, and delete several types of local traffic objects that reside in partition A, but in partition B, she is restricted to enabling and disabling nodes, pool members, virtual servers, and virtual addresses.
For user rjones, you can grant him access to the same partitions A and B, but assign him the roles of Certificate Manager and Guest, respectively. For user rjones, this means that with respect to partition A, he can fully manage digital certificates that reside in that partition, but he has no permission to manage other types of objects in the partition. For objects in partition B, he has read access only.
Using the BIG-IP® Configuration utility, you can display a list of existing local user accounts. If the user role assigned to your account is Administrator, you can view any user account on the BIG-IP® system, in any partition. If the user role assigned to your account is User Manager, you can view any user account in any partition to which you have access on the BIG-IP system.
You perform this task to create a local user account for BIG-IP ®administrative users.
Granting partition access to a BIG-IP user account
Using the BIG-IP® Configuration utility, you can view the properties of an individual account.
Using the BIG-IP® Configuration utility, you can modify the properties of an existing local user account, other than the root account.
When you delete a local user account, you remove it permanently from the local user-account database on the BIG-IP system. If the account you are using has the Administrator or User Manager user role, you can delete other local user accounts. A user with the Administrator role can delete any user account on the BIG-IP® system in any partition. A user with the User Manager role can delete user accounts on the BIG-IP system in only those partitions to which she has access.
This table lists and describes the properties that define a local BIG-IP user account.
|User Name||Specifies the name of the user account. The BIG-IP system is case-sensitive, which means that names such as JONES and Jones are treated as separate user accounts.||No default value|
|Partition||When viewing the properties of an existing user account, displays the name of the partition in which the user account object resides. All partitionable BIG-IP system objects (including user account objects) have the Partition property. Note that you cannot edit the value of this setting.||No default value|
|Password||Specifies a password that the user will use to log in to the BIG-IP system.||No default value|
|Partition Access||Specifies a user role for each partition to which the user has access when logged on to the BIG-IP system. When you assign the user role of Administrator, Resource Administrator, or Auditor, the list of partitions to choose from becomes unavailable. (Accounts with these roles always have universal partition access, that is, access to all partitions.)||All|
|Terminal Access||Specifies the level of access to the BIG-IP system command line interface. Possible values are: Disabled and Advanced shell. Users with the Administrator or Resource Administrator role assigned to their accounts can have advanced shell access, that is, permission to use all BIG-IP system command line utilities, as well as any Linux commands.||Disabled|
The BIG-IP® system includes an optional administrative feature: a security policy for creating passwords for local BIG-IP system user accounts. A secure password policy ensures that BIG-IP system users who have local user accounts create and maintain passwords that are as secure as possible.
The secure password policy feature includes two distinct types of password restrictions:
Passwords for remotely-stored user accounts are not subject to this password policy, but might be subject to a separate password policy defined on the remote system.
This table lists and describes the settings for a password policy.
|Secure Password Enforcements||Enables or disables character restrictions, that is, a policy for minimum password length and required characters. When you enable this setting, the BIG-IP Configuration utility displays the Minimum Length and Required Characters settings.||Disabled|
|Minimum Length||Specifies the minimum number of characters required for a password, and the allowed range of values is 6 to 255. This setting appears only when you enable the Secure Password Enforcement setting.||6|
|Required Characters||Specifies the number of numeric, uppercase, lowercase, and other characters required for a password. The allowed range of values is 0 to 127. This setting appears only when you enable the Secure Password Enforcement setting.||0|
|Password Memory||Specifies, for each user account, the number of former passwords that the BIG-IP system retains to prevent the user from re-using a recent password. The range of allowed values is 0 to 127. This setting does not apply to users with the Administrator or User Manager role.||0|
|Minimum Duration||Specifies the minimum number of days before a user can change a password. The range of allowed values is 0 to 255. This setting does not apply to users with the Administrator or User Manager role.||0|
|Maximum Duration||Specifies the maximum number of days that a user's password can be valid. The range of allowed values is 1 to 99999. This setting applies to all user accounts.||99999|
|Expiration Warning||Specifies the number of days prior to password expiration that the system sends a warning message to a user. The range of allowed values is 1 to 255. This setting applies to all user accounts.||7|
|Maximum Login Failures||Denies access to a user after the specified number of failed authentication attempts. The administrator can then reset the lock to re-enable access for the user.||0|
Use this procedure to require BIG-IP® system users to create strong passwords and to specify the maximum number of BIG-IP login failures that the system allows before the user is denied access.
When you configure the password policy restrictions for user accounts, you can configure the number of failed authentication attempts that a user can perform before the user is locked out of the system. If a user becomes locked out, you can remove the lock to re-enable access for the user.
If a user exceeds the number of failed login attempts that the password policy allows, the BIG-IP® system locks the user account. You can perform this task to unlock the account.