Applies To:

Show Versions Show Versions

Manual Chapter: Users User Groups and Roles
Manual Chapter
Table of Contents   |   << Previous Chapter

Overview: Users, user groups, and roles

A user is an individual to whom you provide resources. You provide access to users for specific BIG-IQ® system functionality through authentication. You can associate a user with a specific role, or associate a user with a user group and then associate the group with a role.

A role is defined by its specific privileges. A user group is a group of individuals that have access to the same resources. When you associate a role with a user or user group, that user or user group is granted all of the role's corresponding privileges.

By default, the BIG-IQ® system provides the following default user types:

Default user type Default password Access rights
admin admin This user type can access all aspects of the BIG-IQ system from the system's user interface.
root default This user has access to all aspects of the BIG-IQ system from the system's console command line.

User types persist and are available after a BIG-IQ system failover. You can authenticate users locally on the BIG-IQ system or remotely through LDAP or RADIUS.

Changing the default password for the administrator user

You must specify the management IP address settings for the BIG-IQ® system to prompt the system to automatically create the administrator user.
After you initially license and configure the BIG-IQ system, it is important to change the administrator role password from the default, admin.
  1. Log in to BIG-IQ System with your administrator user name and password.
  2. At the top of the screen, click Access Control.
  3. On the Users panel, for Admin User, click the gear icon and then Properties.
  4. In the Old Password field, type the password.
  5. In the Password and Confirm Password fields, type a new password.
  6. Click Save.

Adding a locally-authenticated BIG-IQ user

You create a user so you can then associate that user with a particular role to define access to specific BIG-IQ® system resources.
  1. Log in to BIG-IQ System with your administrator user name and password.
  2. At the top of the screen, click Access Control.
  3. Hover over the Users header, and click the + icon when it appears.
    The panel expands to display the User properties.
  4. From the Auth Type Provider list, select Local.
  5. In the Full Name field, type a name to identify this user.
    The full name can contain a combination of symbols, letters, numbers and spaces.
  6. In the Password and Confirm Password fields, type the password for the new user.
  7. Click the Add button.
You can now associate this user with a role.

Adding a remotely-authenticated LDAP user

You create a user so you can then associate that user with a particular role to define access to specific BIG-IQ® system resources.
  1. Log in to BIG-IQ System with your administrator user name and password.
  2. At the top of the screen, click Access Control.
  3. Hover over the Users header, and click the + icon when it appears.
    The panel expands to display the User properties.
  4. From the Auth Type Provider list, select Remote LDAP.
  5. For the Auth Provider setting, select the remote LDAP server to use for authorization.
  6. In the Distinguished Name field, type a name to identify this user.
    The full name can contain a combination of symbols, letters, numbers and spaces.
  7. Click the Add button.
You can now associate this user with a role.

Adding a remotely-authenticated RADIUS user

You create a user so you can then associate that user with a particular role to define access to specific BIG-IQ® system resources.
  1. Log in to BIG-IQ System with your administrator user name and password.
  2. At the top of the screen, click Access Control.
  3. Hover over the Users header, and click the + icon when it appears.
    The panel expands to display the User properties.
  4. From the Auth Type Provider list, select Remote RADIUS.
  5. For the Auth Provider setting, select the remote RADIUS server to use for authorization.
  6. Click the Add button.
You can now associate this user with a role.

Creating a user group

Create a user group to offer individual users access to the same resources.
  1. Log in to BIG-IQ System with your administrator user name and password.
  2. At the top of the screen, click Access Control.
  3. Hover on the User Groups header, click the + icon when it appears, then click New User Group.
  4. In the Name field, type a name for this new user group.
  5. For the Auth Provider Type setting, select the type of authorization provider for this user group.
    • If you selected LDAP, specify the group DN for the LDAP server. You must supply

      the fully distinguished name. For example, cn=BIG-IQ_admin,dc=mgmt,dc=net Alternatively, you can click Search and select the group DN from a list.

    • If you selected RADIUS, specify the key and value associated with users on the RADIUS server for this group.
  6. Click the Add button.
You can now associate users with this user group, and the group with a role

About user roles

As a system manager, you need a way to differentiate between users and to limit user privileges based on their responsibilities. To assist you, the BIG-IQ® system has created a default set of roles you can assign to a user. Roles persist and are available after a BIG-IQ system failover.

Roles definitions

BIG-IQ® system ships with several standard roles, which you can assign to individual users.

Role Description
Administrator Responsible for overall administration of all licensed aspects of the BIG-IQ system. These responsibilities include adding individual users, assigning roles, discovering BIG-IP® systems, installing updates, activating licenses, and configuring a BIG-IQ high availability (HA) configuration.
Device Manager Responsible for device administration including device discovery, group creation, licensing, and management of software images, UCS backups, templates, connectors, certificates, self IP addresses, VLANs, and interfaces. This role must first create a group before discovering and managing devices.
Network Security Deploy Can view and deploy firewall configuration objects associated with managed firewall devices.
Network Security Edit Can view and modify configuration objects associated with managed firewall devices, including the ability to create, modify, or delete all shared and firewall-specific objects.
Network Security Manager Has all of the privileges assigned to the Network Security View, Network Security Edit, and Network Security Deploy roles.
Network Security View Can only view configuration objects and tasks for all firewall devices under management.
Security Manager Has all of the privileges assigned to the Network Security View, Network Security Edit, and Network Security Deploy roles.
Web App Security Manager Responsible for administration of the individual components of web application security, including associated devices, policies, virtual servers, signature files, and deployments.

Associating a user or user group with a role

Before you can associate a user or user group with a role, you must create a user or user group.
When you associate a user or user group with a role, you define the resources users can view and modify. You can associate multiple roles with a given user.
  1. Log in to BIG-IQ System with your administrator user name and password.
  2. At the top of the screen, click Access Control.
  3. On the Users or User Groups panel, click the name you want to associate with a role, and drag and drop it on a role on the Roles panel.
    A confirmation popup screen opens.
  4. Click the Confirm button to assign the user or user group to the selected role.
This user or user group now has access to the resources associated with the role you specified.

Disassociating a user from a role

Use this procedure to disassociate a user from an assigned role.
  1. Log in to BIG-IQ System with your administrator user name and password.
  2. At the top of the screen, click System > Users.
  3. Click the name of the user you want to edit.
  4. For the User Roles property, delete the user role that you want to disassociate from this user.
  5. Click the Save button to save your changes.
This user no longer has the privileges associated with the role you deleted.
Table of Contents   |   << Previous Chapter

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)