Applies To:

Show Versions Show Versions

Manual Chapter: BIG-IP version 9.2 Network and System Management Guide: Managing User Accounts
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


14

Managing User Accounts


Introducing user account management

An important part of managing the BIG-IP system is creating and managing user accounts for BIG-IP system administrators. By creating user accounts for system administrators, you provide additional layers of security. User accounts ensure that the system:

  • Verifies the identity of users logging into the system (authentication)
  • Controls user access to system resources (authorization)

To enable user authentication and authorization, you assign passwords and user roles to your user accounts. Passwords allow you to authenticate your users when they attempt to log in to the BIG-IP system. User roles allow you to control user access to BIG-IP system resources.

User accounts for BIG-IP system administrators can reside either locally on the BIG-IP system, or remotely on another type of authentication server. The types of remote servers that you can use to store BIG-IP system user accounts are:

  • Active DirectoryTM servers
  • Lightweight Directory Access Protocol (LDAP) servers
  • Remote Authentication Dial-in User Service (RADIUS) servers

If you want your user accounts to reside locally on the BIG-IP system, you must create those user accounts on the BIG-IP system and assign user roles to them. If you want your user accounts to reside remotely on an Active Directory, LDAP, or RADIUS server, you do not use the BIG-IP system to create the accounts. Instead, you use the mechanism provided by the server vendor, and you use BIG-IP system strictly to assign user roles to those remote accounts and to maintain those user role assignments over time.

Understanding user account types

There are two types of user accounts on the BIG-IP system: System maintenance accounts and Web UI accounts.

  • System maintenance accounts
    System maintenance accounts are user accounts that you maintain using the Setup utility. There are two types of system maintenance accounts: the root account and the support account. System maintenance accounts reside locally on the BIG-IP system and grant full access to BIG-IP system resources. You configure and maintain these accounts using the Setup utility.
  • Web UI accounts
    Web UI accounts are user accounts that you create for other BIG-IP system administrators to use. Web UI accounts can reside either locally on the BIG-IP system, or remotely on a remote authentication server. You create and maintain these accounts using the browser-based Configuration utility. Creating Web UI accounts allows you to assign various user roles to those accounts as a way to control system administrator access to BIG-IP system resources. A special Web UI account is the admin account, which automatically exists on any BIG-IP system. For more information on the admin account, see Configuring the admin account . For information on user roles, see Understanding user roles , following.

You are not required to have any accounts other than the system maintenance accounts (root and support) and the admin Web UI account, but we recommend that you do so, as a way to intelligently control administrator access to system resources.

The tools you use to create and maintain user accounts vary according to the type of account you are managing. Table 14.1 lists the various user accounts for the BIG-IP system and the tools you use to manage them.

Table 14.1 Tools for managing user accounts
Account Name
Creation/Configuration Tool
Maintenance Tool
The root account
Setup utility
Setup utility
The support account
Setup utility
Setup utility
The admin account
Setup utility
Configuration utility
Other Web UI accounts
Configuration utility
Configuration utility

Understanding user roles

User roles are a means of authorization that allows you to control a user's access to BIG-IP system resources. More specifically, a user role defines the types of tasks that a user can perform on the BIG-IP system and the tools that the user can use to perform those tasks. When you create a local or remote user account, you can assign one of four user roles to that account.

Table 14.2 lists and describes the various user roles that you can assign to a user account.

Table 14.2 User roles for user accounts
User Role
Description
No Access
When a user role is set to No Access, the user cannot view, modify, or create any configuration information for the BIG-IP system.
Guest
The Guest user role grants read-only access to the user, through the Configuration utility only. A user with this user role has no access to the command-line interface.
A user with the Guest role can view configuration information, but cannot create new objects or modify existing ones. Users with this access level do not have access to various Configuration utility elements such as Create buttons, Update buttons, and Delete buttons.
Operator
The Operator user role allows the user to view information and to enable or disable nodes. Users with this user role can access the BIG-IP system through the Configuration utility only.
Administrator
This user role provides the user with full access to all administrative tasks. By default, users with this user role can access the BIG-IP system through the Configuration utility and iControl, but not through the command line interface. However, as an option, you can assign users the ability to also access the BIG-IP system through the command-line interface.

The BIG-IP system automatically assigns a user role to an account when you create that account. The user role that the system assigns to a user account depends on the type of account:

  • root and admin accounts
    The BIG-IP system automatically assigns the Administrator user role to the system maintenance root account and the Web UI admin account. You cannot change this user-role assignment. Thus, any user who successfully logs into the BIG-IP system using the root or admin account has full access to system resources and can perform all administrative tasks.
  • Other Web UI accounts
    The BIG-IP system automatically assigns the No Access user role to all Web UI accounts other than the admin account. If the user account you are using has the Administrator role assigned to it, you can change another account's user role from No Access to Guest, Operator, or Administrator. For remote user accounts, if you know that most of your users will need some amount of access to system resources, you can configure the BIG-IP system to use a role other than No Access as the default user role.

Managing local user accounts

Managing local user accounts refers to the tasks of creating, viewing, modifying, and deleting local Web UI user accounts on the BIG-IP system, using the browser-based Configuration utility.

The Configuration utility stores local user accounts (including user names, passwords, and user roles) in a local user-account database. When a user logs into the BIG-IP system using one of these locally-stored accounts, the BIG-IP system checks the account to determine the access level assigned to that user account.

You assign a user role to an account at the time that you create the account, or by changing the properties of an existing account.

Important

Except for users who want to change their own passwords, only users with the role of Administrator can manage local user accounts.

Configuring the admin account

A user account called admin resides on every BIG-IP system. Although the BIG-IP system creates this account automatically, you must still assign a password to the account before you can use it. To initially set the password for the admin account, you must run the Setup utility. To change its password later, you use the Configuration utility's Users screens.

The admin account resides in the local user account database on the BIG-IP system. By default, the BIG-IP system assigns the Administrator user role, which gives the user of this account full access to all BIG-IP system resources. You cannot change the user role on this account. For information on user roles, see Understanding user roles .

Creating user accounts

When you create a local user account, you must give the account a name and a password. You must also set the user role, either by retaining the default user role or by assigning a new one. The default user role for local, non-system accounts is No Access.

Only users who have been granted the Administrator role can create user accounts.

To create a user account

  1. On the Main tab of the navigation pane, expand System, and click Users.
    The User List screen opens, displaying a list of all Web UI accounts.
  2. In the upper right corner of the screen, click Create.
    The New User screen opens.
  3. In the User Name box, type a name for the user account.
  4. For the Authentication setting, type and confirm a password for the account.
    For more information on user account passwords, see Managing remote user accounts .
  5. To grant an access level other than No Access, use the Web User Role setting and select one of these options:
    • Administrator
      You can optionally check the Allow Console Access box, which grants access to the BIG-IP system through the command line interface.
    • Operator
    • Guest
  6. Click Finished.

Viewing user accounts

Using the Configuration utility, you can easily display a list of existing local user accounts and view the properties of an individual account. Only users who have been granted the Administrator role can view the settings of other user accounts.

To display a list of existing user accounts

  1. On the Main tab of the navigation pane, expand System, and click Users.
    The User List screen opens, displaying a list of all Web UI accounts.
  2. View the list of user accounts.

To view the properties of a user account

  1. On the Main tab of the navigation pane, expand System, and click Users.
    The User List screen opens, displaying a list of all Web UI accounts.
  2. In the user-account list, find the user account you want to view and click the account name.
    This displays the properties of that user account.

Modifying user accounts

You use the Configuration utility to modify the properties of any existing local user account, other than the root account. Only users who have been granted the Administrator role can modify user accounts other than their own.

When you modify account properties, you can:

  • Change the password
  • Change the user role
  • Allow console access (that is, using SSH) if the account has a user role of Administrator

Users with user roles of Operator or Guest can change their own passwords only. Users with an Administrator role can change their own passwords as well as other users' passwords.

To change properties of a user account other than root

  1. On the Main tab of the navigation pane, expand System, and click Users.
    The User List screen opens, displaying a list of all Web UI accounts.
  2. In the user-account list, click a user account name.
    This displays the properties of that account.
  3. Change the password, or choose a new user role for the account, or both. If the user account has the Administrator role assigned to it, or you are changing the user role to Administrator, you can optionally check the Allow Console Access box.
  4. Click Update.

You can also change some properties of the root account. Specifically, you can change the password of the root account, and you can enable or disable access to the BIG-IP system through SSH.

To change properties of the root account

  1. On the Main tab of the navigation pane, expand System, and click Platform.
    The General screen opens.
  2. For the Root Account setting, type a new password in the Password box, and re-type the new password in the Confirm box.
  3. If you want to grant SSH access, then for the SSH Access setting, check the Enabled box, and for the SSH IP Allow setting, either:
    • Select * All Addresses.
    • Select Specify Range and type a range of IP addresses.
  4. Click Update.
Important

If you have a redundant system configuration and you change the password on the admin account, you must also change the password on the peer unit, to ensure that synchronization of configuration data operates correctly.

Deleting user accounts

If the account you are using has an Administrator user role, you can delete other local user accounts. When you delete a local user account, you remove it permanently from the local user-account database on the BIG-IP system.

Note

You cannot delete the admin user account, nor can you delete the user account with which you are logged in.

To delete a user account

  1. On the Main tab of the navigation pane, expand System, and click Users.
    This opens the User List screen, displaying a list of all Web UI accounts.
  2. In the user-account list, locate the name of the account you want to delete and click the Select box to the left of the account name.
  3. Click the Delete button.
    A confirmation box appears.
  4. Click Delete again.

Managing remote user accounts

When you are using a remote authentication server, you create and store Web UI accounts (including user names and passwords) on that remote server, using the mechanism supplied by that server's vendor. In addition to creating and storing user accounts on the remote server, however, you must also use the BIG-IP system to assign user roles to those accounts, for the purpose of controlling user access to BIG-IP system resources.

You assign user roles to remote accounts using the Configuration utility. The Configuration utility stores user-role information in the BIG-IP system's local user-account database. When a user whose account information is stored remotely logs into the BIG-IP system and is granted authentication, the BIG-IP system then checks its local database to determine the user role that you assigned to that user.

If you do not assign a user role to a remote user account, then the BIG-IP system assigns a default user role. You can specify which user role you want the BIG-IP system to assign as a default user role. For more information, see To configure the default user role .

Important

Only users with the role of Administrator can manage user roles for remote user accounts.

Specifying a remote user-account database

One of the tasks you can perform with the Configuration utility is to specify the type of remote user-account database that currently stores your remote user accounts. The available database types that you can specify are:

  • Active DirectoryTM
  • Lightweight Directory Access Protocol (LDAP)
  • Remote Authentication Dial-In User Service (RADIUS)

When you specify the type of remote database, you can also configure some database settings. Then, once you have specified and configured the remote user account database, you can assign user roles to your remote user accounts. For more information on user roles, see Assigning user roles .

To specify and configure a remote account database

  1. On the Main tab of the navigation pane, expand System, and click Users.
    This opens the User List screen, displaying a list of all Web UI accounts.
  2. On the menu bar, click Authentication Source.
    This opens the Authentication Source screen.
  3. Click Change.
  4. In the User Directory setting, select a remote server type.
    The screen expands to show additional configuration settings.
  5. Configure all settings as needed.
    For more information, see the online help.
  6. Click Finished.

Assigning user roles

You create remote user accounts using the mechanism provided by the vendor of your remote server. Once you have created remote accounts, you then use the Configuration utility to assign user roles to those accounts. More specifically, you can use the Configuration utility to:

  • Explicitly assign a user role to an individual remote account
  • Change the user role of an account
  • Specify a default user role for accounts that do not have explicit user-role designations

Explicitly assigning a user role

As stated in the previous section, you do not use the Configuration utility to create remote user accounts for the BIG-IP system. However, you can use the Configuration utility to explicitly assign user roles to them.

This task of assigning a user role to a remote account is not required, because the BIG-IP system automatically assigns a default user role to a remote account if you do not explicitly do so. For information on configuring the default user role, see Configuring the default user role .

To explicitly assign a user role

  1. On the Main tab of the navigation pane, expand System, and click Users.
    This opens the User List screen, displaying a list of all user accounts.
  2. Note: This list shows only the remote accounts to which you have explicitly assigned a user role. For more information, see Changing a user role .
  3. In the upper-right corner of the screen, click Create.
    This displays the New User screen.
  4. In the User Name box, type the name of the remote user to which you want to assign a user role.
  5. For the Web User Role setting, select a user role.
    If you select Administrator, the Allow Console Access setting appears.
  6. If you selected Administrator and want to allow access to the BIG-IP system through the command line interface, click the Allow Console Access box.
  7. Click Finished.

Changing a user role

Sometimes you might want to change the user role that you previously assigned to a remote account. To do so, you must change the properties of that account by clicking the account name on the User List screen. Only those remote user accounts to which you have explicitly assigned a user role (using the Configuration utility) appear in the list of user accounts.

If you did not explicitly assign a user role to an account, the account does not appear in the list of user accounts, In this case, you cannot change the authorization properties of that individual account. For more information, see To explicitly assign a user role .

To change the properties of a remote user account

  1. On the Main tab of the navigation pane, expand System, and click Users.
    This opens the User List screen, displaying a list of user accounts to which you explicitly assigned user roles.
  2. In the User Name column, click a user name.
    This displays the properties for that user account.
  3. In the Web User Role box, select a user role.
  4. Click Update.

Configuring the default user role

Sometimes, you might have remote user accounts to which you have not explicitly assigned user roles. (For more information, see Assigning user roles .) Such accounts do not appear in the list of user accounts on the User List screen.

To ensure that these accounts have a user role assigned to them, the BIG-IP system automatically assigns a default user role, to ensure valid user authorization. By default, the user role that the BIG-IP system assigns to these remote accounts is No Access. However, you can change the user role that the BIG-IP system uses as the default user role, to Administrator, Operator, or Guest. Then, whenever you create a user account on that remote server and you do not explicitly assign a user role to that account, the BIG-IP system automatically assigns that user role to the account.

To configure the default user role

  1. On the Main tab of the navigation pane, expand System, and click Users.
    This opens the User List screen, displaying a list of all Web UI accounts.
  2. From the Users menu, choose Remote Access.
    This displays the Remote Access screen.
  3. In the Web User Role setting, select a default user role from the list.
    If you select the Administrator user role, an optional setting appears for granting console access to the user.
  4. If you want to grant the user access to the BIG-IP system through the command-line interface, check the Allow Console Access box.
  5. Click Update.

At any time, you can view the default user role that the BIG-IP system assigns to any remote accounts for which you have not explicitly assigned a user role.

To view the current default user role

  1. On the Main tab of the navigation pane, expand System, and click Users.
    This opens the User List screen, displaying a list of all Web UI accounts.
  2. From the Users menu, choose Remote Accounts.
    The Web User Role setting displays the user role that the BIG-IP system currently uses as the default user role for remote accounts.

Deleting an explicit user-role designation

When you use the Configuration utility to delete a remote user account, you are not actually deleting the account from the remote server. Instead, you are removing the explicit user-role designation that you previously assigned the account.

Removing an explicit user-role designation from a remote user account causes the BIG-IP system to assign the default user role to the account.

To delete an explicit user role designation

  1. On the Main tab of the navigation pane, expand System, and click Users.
    This opens the User List screen, displaying a list of all Web UI accounts.
  2. Locate an account name in the list and click the corresponding Select box.
  3. Click Delete.
    A confirmation page appears.
  4. Click Delete.



Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)