Applies To:

Show Versions Show Versions

Manual Chapter: Users User Groups Roles and Authentication
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

How do I limit privileges for users based on their role in the company?

F5® BIG-IQ® Centralized Management provides you the tools you need to customize user access to your managed devices, and to BIG-IQ itself, through the use of role-based privileges. These privileges are based on the responsibilities of your users.

This type of role-specific access also provides you insight into your work flows. You can easily see which user interacted with any given service, and what the interaction was. This can help you quickly troubleshoot any introduced conflicts.

You can set up BIG-IQ to authorize users, giving them access only to the specific information, using these methods:

  • Local authorization - for this option, BIG-IQ authenticates users.
  • External authorization - for this option, you can configure BIG-IQ to use your LDAP, RADIUS, or TACACS+ server to authenticate users.

Assigning more than one role to a user

The responsibilities and roles each of your users has probably depend on the number of people who have access to BIG-IQ.

For example, if you have only two people managing your devices from BIG-IQ, they both most likely need to have full access to all aspects of BIG-IQ at one time or another. For these users, you'd assign them both the Administrator role.

Assigning more granular/specialized privileges to a user

On the other hand, if you're working for a larger company that has specialized roles to manage different services, or different parts of services, you can provide more granular access. For example, if you have two people who manage BIG-IP devices used only for network security purposes, you could assign them both the role of Network Security Manager. Or, if you have two people managing devices used for network security, but you want only one of them to write and edit policies, and the other to (only) deploy the policies, you could assign the first person the Network Security Editor role, and the other person the Network Security Deploy role. In this case, the Network Security Editor can only create, view, and edit policies, but not deploy them. The Network Security Deploy person can view and deploy policies, but cannot create or edit them.

Adding a new Pool Member Operator or Virtual Server Operator role

In addition to the standard roles that ship with BIG-IQ®, there are two roles specific only to LTM that you can add to your available options. These roles are:

  • Pool Member Operator - This role has access to enable, disable, or force offline pool members on pools to which the administrator has granted them access.
  • Virtual Server Operator - This role has access to enable or disable virtual servers to which the administrator has assigned them access.
  1. At the top of the screen, click System.
  2. On the left, click USER MANAGEMENT > Roles .
  3. Click the Add button.
  4. In the Name field, type a name to identify this new role.
  5. From the Role Type list, select the kind of role you want to add.
  6. From the Active Users and Groups list, select the user or group you want to associate with this new role.
  7. Click the + sign if you want this role to have access to another user or group, and select the device group from the list.
  8. Click the Save & Close button at the bottom of the screen.

Add a user and assign them a role

Once you understand exactly who you want to perform certain tasks, you can provide them access to particular areas of F5® BIG-IQ® Centralized Management by adding them as a user and assigning the appropriate standardized role. You can assign as many roles as required to cover the user's responsibilities.
Important: Since some roles have access only to certain areas or screens in the BIG-IQ user interface, it's important to communicate that to the user. When you assign a role to a user, be sure you outline the responsibilities and restrictions for their role. Clarifying this helps avoid any potential confusion. Also note,these roles do not have access to the global search functionality: Network Security Manager, Network Security Edit, Network Security View, and Trust Discovery Import.
  1. At the top of the screen, click System.
  2. On the left, click USER MANAGEMENT > Users .
  3. Click the Add button.
  4. From the Auth Provider list, select the authentication method you want to use for this user.
  5. In the User Name field, type the user name for this new user.
  6. In the Full Name field, type a name to identify this user.
    The full name can contain a combination of symbols, letters, numbers and spaces.
  7. In the Password and Confirm Password fields, type the password for this new locally-authenticated user.
    You can change the password any time.
  8. To associate this user with an existing user group, select the group from the User Groups list.
    You aren't required to associate a user group at this point; you can do that later if you want. If you want to associate another user group with this user, click +.
  9. From the User Roles list, select a user role to associate with this user.
    Each role has a set of unique privileges. If you want to associate another user role with this user, click +.
    Important: Be sure to let your users know that their access to certain parts of the BIG-IQ user interface depends on which role they are assigned.
  10. Click the Save & Close button at the bottom of the screen.
This user now has the privileges associated with the role(s) you selected and BIG-IQ will authenticate this user locally
You can now tell this user how their BIG-IQ access aligns with their responsibilities. Make sure they understand they might not see every screen you or one of their peers does. Also let them know that if they try to log in more than 5 times in 5 minutes with the wrong user name and/or password, they might get the following error: Maximum number of login attempts exceeded. If that happens, the user must wait 5 minutes before trying to log back in.
Note: If your BIG-IQ is in an HA pair, you must synchronize this change by refreshing the secondary BIG-IQ.

Synchronize new users and user groups with secondary BIG-IQ

You must configure two BIG-IQ® Centralized Management systems in a high availability (HA) pair before you can synchronize users and user groups with a secondary BIG-IQ
Users and user groups are handled differently than other data that's synchronized between BIG-IQ® systems in an HA pair. For that reason, you must refresh the secondary BIG-IQ system in an HA pair after you add a new user or user group. Refresh the secondary BIG-IQ system so new users and user groups can successfully log in to the secondary system.
  1. At the top of the screen, click System.
  2. On the left, click BIG-IQ HA.
  3. At the top of the screen, click the BIG-IQ HA Settings button.
  4. Click the Log Out and Refresh button.
  5. Click OK, then Log Out.
    BIG-IQ logs you out of the system.
You should now be able to log in to the secondary BIG-IQ system with the new user and/or user group you added.

Change your BIG-IQ user password

For security reasons, you need to occasionally change your user password.
  1. At the top of the screen, click System.
  2. On the left, click USER MANAGEMENT > Users .
  3. Click your user name.
  4. In the Old Password field, type the password.
  5. In the Password and Confirm Password fields, type a new password.
  6. Click the Save & Close button at the bottom of the screen.

Remove a BIG-IQ user from a role

If a job or responsibilities change for an employee, you can use this procedure to disassociate that BIG-IQ user from an assigned role.
  1. At the top of the screen, click System.
  2. On the left, click USER MANAGEMENT > Users .
  3. On the Users inventory list, click the name of the user.
    The screen refreshes to display the properties for this user.
  4. From the User Roles list, select the user role to disassociate from this user and click the X.
    The selected user role is removed from the list of privileges assigned to this user.
  5. Click the Save & Close button at the bottom of the screen.
This user no longer has the privileges associated with the role you deleted.

Use my LDAP server to authenticate BIG-IQ users

F5® BIG-IQ® Centralized Management can verify user credentials against your company's LDAP server (LDAP server versions 2 and 3, and OpenLDAP directory, Apache Directory Server, and Active Directory). After you set up BIG-IQ to use your LDAP server, you can add users and user groups that authenticated by your LDAP server.

Before integrating BIG-IQ with your LDAP server for authentication

Before integrating LDAP authentication with the F5® BIG-IQ® Centralized Management system, you must complete these tasks.

Task Notes For my LDAP server
Use an LDAP browser to review the groups and users in your directory's structure and determine where they are located in the organizational units (OUs). Then, decide how you want to map those names. There are two ways you can do this. The first option is to map users directly to their Distinguished Name (DN) in the directory with a user bind template in the form of uid=<username>, ou=people, o=sevenSeas. For example, you'd map John Smith's user name to his DN as uid=<jsmith>, ou=people, o=sevenSeas and he would log in as jsmith and would be correctly authenticated with his user name in the directory through his DN.  
  The second option is to allow users to log in with names that do not map directly to their DN by specifying a userSearchFilter in the form of (&(uid=%s)) when creating the provider. For example, if John Smith's DN is cn=John Smith,ou=people,o=sevenSeas, but you would like him to be able to log in with jsmith, specify a userSearchFilter in the form of (&(jsmith=%s)). If your directory does not allow anonymous binds, you must also specify a bindUser and bindPassword so that the BIG-IQ system can validate the user's credentials.  
Decide which groups in your directory to map with BIG-IQ groups. If you configured a bindUser and bindPassword for users, the BIG-IQ system displays a list of groups from which to choose.  
  If you haven't configured this for your users, you must know the DN for each group.  
Find out the DN where you can query or view for all users and groups. This is the root bind DN for your directory, defined as rootDN, when you create a provider. The BIG-IQ system uses the root bind DN as a starting point when it searches for users and groups.  
Find the host IP address for the LDAP server. The default port is 389, if not specified otherwise, or 636 if SSL is enabled.  

Set up BIG-IQ to use your LDAP server for user authentication

Before you can set up BIG-IQ to authenticate users against your LDAP server, you have to specify your LDAP server settings on F5® BIG-IQ® Centralized Management and perform all the tasks outlined in the section titled, Before integrating BIG-IQ with your LDAP server.

You can configure BIG-IQ to use one or more of your company's LDAP server(s) to authenticate users.

  1. At the top of the screen, click System.
  2. On the left, click USER MANAGEMENT > Auth Providers .
  3. Click the Add button.
  4. From the Provider Type list, select LDAP.
  5. In the Name field, type a name for this new provider.
    This must be a unique name, and can be a maximum of 152 characters.
  6. In the Host field, type the IP address of your LDAP server.
  7. For the Servers setting, type in the Port that your Active Directory server uses.
    If you want BIG-IQ to use an SSL port to communicate with your LDAP server, type port 636 , otherwise leave it at the default port, 389.
  8. To use an SSL port to communicate with the LDAP server, for the SSL Enabled setting, select the Enabled check box.
  9. If your LDAP server does not allow anonymous binds, in the Bind User and Bind User Password fields, type the full distinguished names and passwords for users with query access.
  10. In the Root DN field, type the root context that contains users and groups.
    The root context must be a full distinguished name.
  11. For the Authentication Method setting, specify a method.
    • Simple - Select this option to require a user name and password for authentication.
    • None - Select this option to prompt the LDAP server to ignore the user name and password.
    Warning: No password authentication is used if you select None.
  12. For the Search Scope setting, select an option to specify the depth at which searches are made.
  13. In the Search Filter field, type the LDAP filter expression that determines how users are found.
    The search filter depends on your LDAP implementation.
  14. In the Connect Timeout field, type the number of milliseconds after which the BIG-IP system stops trying to connect to the LDAP server.
  15. In the Read Timeout field, type the number of seconds the BIG-IP system will wait for a response to a query.
  16. In the User Display Name Attribute field, type the LDAP field to use for the name that BIG-IQ displays.
    When using Active Directory, this is typically displayName.
  17. To direct bind to a distinguished name, in the User Bind Template field, type the name.
    For example, cn={username},ou=people,o=sevenSeas.
    Now, when a user logs in, BIG-IQ inserts the user name into the template in place of the token, and the resulting distinguished name is used to bind to the directory.
  18. To prompt the LDAP provider to search for groups based on a specific display name attribute, in the Group Display Name Attribute field, type an attribute.
    This attribute is typically cn.
  19. Leave the Group Search Filter at its default query to return all groups under the provided rootDN.
    Alternatively, if you have a large number of groups (more than 100), you can base the search on a specific term by typing a query with a {searchterm} token in this field.

    For example: (&(objectCategory=group)(cn={searchterm}*))

  20. To specify a query for finding a users group, in the Group Membership Filter field, type a query string.
    Use the token {userDN} anywhere that the user's distinguished name should be supplied in the LDAP query.

    You can use a {username} token as a substitute for the user’s login name in a query.

    Leave this setting at the default (|(member={username})(uniqueMember={username})) unless the provider is Active Directory.
  21. To specify a query attribute for finding users in a particular group, in the Group Membership User Attribute field, type the attribute.
    When using Active Directory, use memberof. For example: (memberOf=cn=group_name,ou=organizational_unit,dc=domain_component)
    For other LDAP directories, use groupMembershipFilter. For example: (groupMembership=cn=group_name,ou=organizational_unit,o=organization)
  22. Select the Perform Test check box to test this provider.
  23. Click the Save & Close button at the bottom of the screen.

Create an LDAP-authenticated user group

Before you can add an LDAP-authenticated user group, you must set up BIG-IQ® to use your company's LDAP server for user authentication (using the USER MANAGEMENT > Auth Providers screen).

You create a user group to offer a set of individual users authentication from the same LDAP server.

  1. At the top of the screen, click System.
  2. At the left, click USER MANAGEMENT > User Groups .
    The User Groups screen opens.
  3. Click the Add button.
  4. In the Name field, type a name for this new user group.
  5. From the Auth Provider list, select LDAP.
  6. In the Remote Group field, type a term to search for remote groups.
  7. In the Group DN field, type the domain name for this group.
  8. From the User Roles list, select the user role that has the privileges you want to grant to this user group.
  9. Click the Save & Close button at the bottom of the screen.

Use my RADIUS server to authenticate and authorize BIG-IQ users

F5® BIG-IQ® Centralized Management can verify user credentials against your company's RADIUS server. After you set up BIG-IQ to use your RADIUS server, you can add users and user groups authorized by that server.

Before integrating BIG-IQ with your RADIUS server for authentication and authorization

Before you set up BIG-IQ® Centralized Management for authentication and authorization with your RADIUS server, gather the following information.

Required Information This is For my RADIUS server
Name The name of your RADIUS server.  
Host The IP address or host name of your RADIUS server.  
Port The port number of your RADIUS server.  
Secret The case-sensitive text string used to validate communication.  
Test user name and password A user name and password, authenticated on your RADIUS server.  
Key and Value properties for your RADIUS server The RADIUS server uses this for authentication and encryption.  

Set up BIG-IQ to use my RADIUS server for user authentication

Before you can set up authentication, you must have specified your DNS settings. You usually do this when you license F5® BIG-IQ® Centralized Management.

You can set up BIG-IQ to use your company's RADIUS server. You can add two additional backup RADIUS servers in case the primary server is not available for authentication.

  1. At the top of the screen, click System.
  2. On the left, click USER MANAGEMENT > Auth Providers .
  3. Click the Add button.
  4. From the Provider Type list, select RADIUS.
  5. In the Name field, type a name for this new provider.
    This must be a unique name, and can be a maximum of 152 characters.
  6. For the Servers setting, In the Host and Port fields, type the RADIUS server's IP address (or fully qualified domain name) and port number for each of the servers you want to configure.

    The primary server is mandatory. A secondary server and tertiary server, which will be used if the primary or secondary servers fail, are optional.

  7. In the Secret field, type the case-sensitive text string used to validate communication.
  8. In the Test User and Test Password fields, type a user and password, then click the Test button to verify that BIG-IQ can reach the RADIUS server
  9. Click the Save & Close button at the bottom of the screen.
You can now associate RADIUS server users and groups with BIG-IQ system roles.

Update BIG-IQ dictionary with vendor-specific RADIUS attributes

You must have root access to the BIG-IQ system's command line through SSH for this procedure.

Some RADIUS deployments include non-standard, vendor-specific attributes in the dictionary files. For these deployments, you must update the BIG-IQ system's default dictionary.

  1. Copy the TinyRadius .jar file from the BIG-IQ system.
  2. Extract the contents of the TinyRadius .jar file.
  3. Update the file org/tinyradius/dictionary/default_dictionary file, by adding the vendor-specific attributes.
  4. Repack the contents into a new .jar file.
  5. Replace the old TinyRadius .jar on each BIG-IQ system with the new TinyRadius .jar file you created in step 4.

For example:

  1. From a Linux machine, copy the TinyRadius .jar file to your BIG-IQ system by typing: scp <big-iq-user>@<BIG-IQ-Address>:/usr/share/java/TinyRadius-1.0.jar ~/tmp/tinyrad-upgrade/
  2. Extract the file on your Linux Machine by typing: jar -xvf TinyRadius-1.0.jar
  3. Edit the org/tinyradius/dictionary/default_dictionary, adding the vendor-specific attribute.
    rm TinyRadius-1.0.jar
    jar cvf TinyRadius-1.0.jar *
    
  4. Update the jar on the BIG-IQ system by typing: scp TinyRadius-1.0.jar <your_user>@<BIG-IQ address>:/var/tmp/
  5. SSH to the BIG-IQ system and type the following commands:
    mount -o remount,rw /usr
    cp /var/tmp/TinyRadius-1.0.jar /usr/share/java
    mount -o remount,ro /usr
    bigstart restart restjavad
    
  6. Repeat steps 4 and 5 for each BIG-IQ in a HA configuration.
Now you can use the vendor-specific attributes RADIUS to create your user groups on BIG-IQ.

Create a user group authorized by your RADIUS server

Before you can add a RADIUS-authenticated user group, you must set up BIG-IQ to use your company's RADIUS server for user authentication on the USER MANAGEMENT > Auth Providers screen
Create a user group to offer individual users the same privileges on F5® BIG-IQ® Centralized Management. This user group will be authorized by your RADIUS server.
  1. At the top of the screen, click System.
  2. At the left, click USER MANAGEMENT > User Groups .
    The User Groups screen opens.
  3. Click the Add button.
  4. In the Name field, type a name for this new user group.
  5. From the Auth Provider list, select RADIUS.
  6. In the Key and Value fields, type the properties for your RADIUS server.
  7. From the User Roles list, select the user role you want to associate with this user.
    You aren't required to associate a user role at this point; you can do that later. If you want to add another user role, click +.
  8. Click the Save & Close button at the bottom of the screen.
You can now associate users with this user group.

Using my TACACS+ server to authenticate and authorize BIG-IQ users

F5® BIG-IQ® Centralized Management can verify user credentials against your company's TACACS+ server. After you set up BIG-IQ to use your TACACS+ server, you can add users and user groups that are authenticated by your TACACS+ server.

Before integrating BIG-IQ with your TACACS+ server for authentication and authorization

Before you set up BIG-IQ® Centralized Management for authentication and authorization with your TACACS+ server, you should gather this information.

Required Information This is For my TACACS+ server
Name The name of your TACACS+ server.  
Host The IP address or host name of your TACACS+ server.  
Port The port number of your TACACS+ server.  
Secret The case-sensitive text string used to validate communication.  
Primary Service The service that the authorization requests are made for, such as system, shell, or connection.  
Protocol An optional subset of a service, such as telnet, ip, or http.  
Test user name and password A user name and password, authenticated on your TACACS+ server.  

Set up BIG-IQ to use my TACACS+ server for user authentication

Before you can set up authentication, you must have specified your DNS settings. You usually do this when you license F5® BIG-IQ® Centralized Management. You must also complete all the tasks outlined in Before integrating BIG-IQ with your TACACS+ server.

You can set up BIG-IQ to use your company's TACACS+ server for user authentication.

  1. At the top of the screen, click System.
  2. On the left, click USER MANAGEMENT > Auth Providers .
  3. Click the Add button.
  4. From the Provider Type list, select TACACS+.
  5. For the Servers setting, in the Host and Port fields, type the TACACS+ server's IP address (or fully qualified domain name) and port number for each of the servers you want to configure.
    To add more servers, just click the + button.
  6. In the Name field, type a name for this new provider.
    This must be a unique name, and can be a maximum of 152 characters.
  7. In the Primary Service field, specify what type of authorization requests will be made for this service.
    For example: system, connection, or PPP.
  8. In the Protocol field, specify an optional subset of a service.
    For example: ip, telnet, or http.
  9. To encrypt the data, select the Yes check box for the Encrypt setting.
  10. To verify that BIG-IQ can reach the TACACS+ server, in the Test User and Test Password fields, type a valid user name and password, and click the Test button.
  11. Click the Save & Close button at the bottom of the screen.
You can now associate TACACS+ server users with BIG-IQ system roles.

Create a TACACS+-authenticated user group

Before you can add a TACACS+-authenticated user group, you must set up BIG-IQ® to use your company's TACACS+ server for user authentication (using the USER MANAGEMENT > Auth Providers screen).

You create a user group to offer a set of individual users authentication from the same TACACS+ server.

  1. At the top of the screen, click System.
  2. At the left, click USER MANAGEMENT > User Groups .
    The User Groups screen opens.
  3. Click the Add button.
  4. In the Name field, type a name for this new user group.
  5. From the Auth Provider list, select TACACS+.
  6. For the Authorization Attributes setting, in the Attribute and Value fields, type the attribute and value pair for this group's TACACS+ server.
  7. From the User Roles list, select the user role that has the privileges you want to grant to this user group.
  8. Click the Save & Close button at the bottom of the screen.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)