The BIG-IP® system includes a powerful authorization feature known as administrative domains. Using the administrative domains feature, you ensure that BIG-IP system grants administrative users exactly the right type and amount of access to BIG-IP system resources. As a result, you can tailor user access to resources to exactly fit the needs of your organization.
The administrative domains feature consists of several important components:
By combining all of these components, you can finely-tune administrative access to many of your BIG-IP system resources. This chapter describes the procedure for configuring the administration domains feature on the BIG-IP system.
When you first install the BIG-IP system, a default partition exists, known as partition Common. Partition Common contains certain objects that the system automatically creates during installation, such as the admin user account, the default profiles, and the pre-configured health and performance monitors.
Some types of BIG-IP system objects reside in partitions, while others do not. In general, most local-traffic objects reside in partitions. Network objects, such as self IP addresses, VLANs, interfaces, and so on, cannot reside in partitions.
At a minimum, most BIG-IP system user accounts have Read access to objects in partition Common, regardless of their user roles. User accounts that have the Administrator role assigned to them not only can view the objects in Common, but also can create, modify, and delete objects in that partition.
While managing partition Common is useful as a starting point for controlling user access to BIG-IP system objects, creating other partitions offers a much finer degree of access control for administrative users. For example, user accounts with the Manager user role can perform most of the same tasks as users with the Administrator role, except that users with the Manager role cannot manage user accounts or type commands outside of the bigpipe shell.
The first step in giving a user the authority to manage objects in a specific partition is to create the partition. Once you have created the partition, you choose the user that you want to manage the objects in the new partition. Finally, you modify the properties of that user's account, to assign both the appropriate user role and the partition that you want to authorize the user to manage. Once you have granted authority to the user to manage the partition, the user can then manage those objects in certain ways, such as creating HTTP virtual servers and profiles, within that partition.
The next step, after you create the partition, is to assign a user role to a user account and give that user authority to manage the new partition. The level of authority that the user has is determined by the user role you assign to the user account. For example:
You can configure user access to a partition either when you first create the user account or when you modify the user account properties. The following procedure shows how to configure partition access to an existing user account.
It is important to understand what happens when an administrative user logs into the BIG-IP system and attempts to view, manage, or create BIG-IP system objects.
Once you have assigned user roles and partitions to user accounts, the users see only those objects on the BIG-IP system to which they have been granted access. They can view only those objects, and no others.
For example, suppose user Jane Smith logs into the system with her user account (jsmith), and she has the role of Manager and is authorized to manage partition A. In this case, she sees and can manage all objects contained in partition A (excluding user account objects), and she can see objects in partition Common. She has no access to other objects on the system. This means that if she uses the Configuration utility to view a list of virtual servers on the system, she sees and can manage virtual servers contained in partition A, and she can see any virtual servers in partition Common (if any). Similarly, if she views the list of pools, she sees and can manage those pools contained in partition A, and she can see any pools in partition Common (if any), and so on. She has no access (either Read or Write access) to objects in other partitions.
By contrast, a user with a role such as Administrator can see and manage all objects on the system, regardless of the partition in which the objects reside. Users with this type of role can also actively select a specific partition to view and manage.
When a BIG-IP system user has a user role that grants the authority to create objects on the BIG-IP system in a specific partition, the object that the user creates automatically resides in the partition that the user is authorized to manage.
For example, suppose that Barry Jones has the user account bjones, and this user account is authorized to manage partition B. When Barry logs into the BIG-IP system using the bjones account, any object that he creates automatically resides in partition B.
Conversely, if a user with a role that does not allow object creation (such as the Operator role) is logged into the system, no Create buttons appear on the Configuration utility screens.
If the logged-in user has universal access (such as a user with the Administrator role), the user can actively select the partition in which to view, manage, or create a BIG-IP system object.