Manual Chapter : Users User Groups and Roles

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 4.6.0
Manual Chapter

Overview: Users, user groups, and roles

A user is an individual to whom you provide resources. You provide access to users for specific BIG-IQ® system functionality through authentication. You can associate a user with a specific role, or associate a user with a user group and then associate the group with a role.

A role is defined by its specific privileges. A user group is a group of individuals that have access to the same resources. When you associate a role with a user or user group, that user or user group is granted all of the role's corresponding privileges.

By default, the BIG-IQ® system provides the following default user types:

Default user type Default password Access rights
admin admin This user type can access all aspects of the BIG-IQ system from the system's user interface.
root default This user has access to all aspects of the BIG-IQ system from the system's console command line.

User types persist and are available after a BIG-IQ system failover. You can authenticate users locally on the BIG-IQ system or remotely through LDAP or RADIUS.

About default passwords for pre-defined users

When you initially license the BIG-IQ® system, it creates the following administrative roles with a default password.

  • admin
  • root
Note: Refer to the Changing the default password for the administrator user for instructions for changing the default password.

Adding a locally-authenticated BIG-IQ user

You create a user so you can then associate that user with a particular role to define access to specific BIG-IQ® system resources.
  1. Log in to BIG-IQ System with your administrator user name and password.
  2. At the top of the screen, click Access Control.
  3. Hover over the Users header, and click the + icon when it appears.
    The panel expands to display the User properties.
  4. From the Auth Type Provider list, select Local.
  5. In the Full Name field, type a name to identify this user.
    The full name can contain a combination of symbols, letters, numbers and spaces.
  6. In the Password and Confirm Password fields, type the password for the new user.
  7. Click the Add button.
You can now associate this user with a role.

About user roles

As a system manager, you need a way to differentiate between users and to limit user privileges based on their responsibilities. To assist you, the BIG-IQ® system has created a default set of roles you can assign to a user. Roles persist and are available after a BIG-IQ system failover.

Roles definitions

BIG-IQ® system ships with several standard roles, which you can assign to individual users.

Role Description
Administrator Responsible for overall administration of all licensed aspects of the BIG-IQ system. These responsibilities include adding individual users, assigning roles, discovering BIG-IP® systems, installing updates, activating licenses, and configuring a BIG-IQ high availability (HA) configuration.
Device Manager Responsible for device administration including device discovery, group creation, licensing, and management of software images, UCS backups, templates, connectors, certificates, self IP addresses, VLANs, and interfaces. This role must first create a group before discovering and managing devices.
Network Security Deploy Can view and deploy firewall configuration objects associated with managed firewall devices.
Network Security Edit Can view and modify configuration objects associated with managed firewall devices, including the ability to create, modify, or delete all shared and firewall-specific objects.
Network Security Manager Has all of the privileges assigned to the Network Security View, Network Security Edit, and Network Security Deploy roles.
Network Security View Can only view configuration objects and tasks for all firewall devices under management.
Security Manager Has all of the privileges assigned to the Network Security View, Network Security Edit, and Network Security Deploy roles.
Web App Security Manager Responsible for administration of the individual components of web application security, including associated devices, policies, virtual servers, signature files, and deployments.

Associating a user or user group with a role

Before you can associate a user or user group with a role, you must create a user or user group.
When you associate a user or user group with a role, you define the resources users can view and modify. You can associate multiple roles with a given user.
  1. Log in to BIG-IQ System with your administrator user name and password.
  2. At the top of the screen, click Access Control.
  3. On the Users or User Groups panel, click the name you want to associate with a role, and drag and drop it on a role on the Roles panel.
    A confirmation popup screen opens.
  4. Click the Confirm button to assign the user or user group to the selected role.
This user or user group now has access to the resources associated with the role you specified.

Disassociating a user from a role

Use this procedure to disassociate a user from an assigned role.
  1. Log in to BIG-IQ System with your administrator user name and password.
  2. At the top of the screen, click System > Users.
  3. Click the name of the user you want to edit.
  4. For the User Roles property, delete the user role that you want to disassociate from this user.
  5. Click the Save button to save your changes.
This user no longer has the privileges associated with the role you deleted.