Applies To:

Show Versions Show Versions

Manual Chapter: Managing Roles and Users
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

About roles

Different users have different responsibilities. As a system manager, you need a way to differentiate between users and to limit user privileges based on user responsibilities.

To assist you, the BIG-IQ system has created a default set of roles. To view the default roles, log in to BIG-IQ and navigate to the Roles panel:

BIG-IQ > BIG-IQ System > Access Control > Roles

Roles persist and are available after a BIG-IQ system failover.

You can associate multiple roles with a given user; for example, you can grant a user the edit (Network_Security_Edit) and the deploy (Network_Security_Deploy) roles.

Administrator
This role is responsible for overall management of the platform. Users with this role can add individual users, install updates, activate licenses, and configure HA and networks.
This role is abbreviated in the table below as Admin.
Network_Security_Deploy
This role permits viewing and deploying for all firewall configuration objects for all firewall devices under management. Users with this role cannot edit configuration objects, discover devices, or reimport devices or otherwise make changes to the working configuration of the BIG-IQ system. This role cannot create, edit, or delete snapshots. Also, this role does not have access to System/Overview or Networking.
This role is abbreviated in the table below as Deploy.
Network_Security_Edit
With this role, the user can view and modify all configuration objects for all firewall devices under management, including the ability to create, modify, or delete all shared and firewall-specific objects. Users with only this role cannot deploy configuration changes to remote devices under management. Also, this role does not have access to System/Overview or Networking.
This role is abbreviated in the table below as Edit.
Network_Security_Manager
This role encompasses the roles of Network_Security_View, Network_Security_Edit, and Network_Security_Deploy. A user logging in with this role bypasses the System panel and is logged directly into BIG-IQ Security.
This role is abbreviated in the table below as NW Sec Mgr.
Network_Security_View
With this role, the user can view all configuration objects and tasks for all firewall devices under management. Users with this role cannot edit objects and cannot initiate a discovery or deployment task.
This role is abbreviated in the table below as View.
Security_Manager
This role combines the privileges of Network_Security_View, Network_Security_Edit, and Network_Security_Deploy. A user logging in with this role is logged directly into BIG-IQ Security. A user logging in with this role can also access BIG-IQ Web Application Security.
This role is abbreviated in the table below as Sec Mgr.
Web_App_Security_Manager
This role carries administrator-level rights for the BIG-IQ Web Application Security module only.
This role does not appear in the table below.

About access control: features and the roles that can perform them

Feature View Edit Deploy Sec Mgr NW Sec Mgr Admin
View policy, objects, snapshots, deployments, devices, groups X X X X X X
Create/update/delete configuration objects   X   X X X
Create/delete snapshots   X X X X X
Compare (view differences between) snapshots X X X X X X
Restore working configuration from snapshot   X   X X X
Deploy from snapshot     X X X X
DMA (declare management authority)   X   X X X
RMA (rescind management authority)   X   X X X
Deploy working config; create/delete deployment tasks     X X X X
View audit log X X X X X X
Delete, configure audit log       X   X
Create/update/delete device groups   X   X X X
Manage users           X
Manage system           X

About user types

By default, the BIG-IQ Network Security system provides these default user types:

admin
This user can assign roles to users, but cannot access the command shell or system console.
root
This user can access the system console.

User types persist and are available after a BIG-IQ system failover.

Creating user accounts

As the firewall manager, it is your responsibility to create the right set of user accounts and associate those users with the right roles (sets of privileges). By managing user roles, you place controls on specific functions (view, edit, and deploy).

User accounts and roles persist and are available after a BIG-IQ system failover.

  1. Log in to the BIG-IQ system and click BIG-IQ System > Access Control > Users.
  2. Hover over the Users banner, click the + icon, and select New User.
  3. Complete the fields as required.
    Option Description
    Username Enter the user's login name.
    Auth Provider Accept the default of local or from the dropdown list, select the provider that supplies the credentials required for authentication.
    Full Name Enter the user's actual name. This field can contain a combination of symbols, letters (upper and lowercase), numbers, and spaces.
    Password Enter the password for this user.
    Confirm Password Retype the password.
  4. Click Add to save your edits and create the user account (or click Cancel to close the panel without saving your entries).
You can now associate this user with a specific role (set of privileges).

Associating users with roles

You can control what users are able to accomplish by associating roles (sets of privileges) with particular users.
  1. Log in to the BIG-IQ system and click BIG-IQ System > Access Control > Users.
  2. In the Users panel, click the user that you want to associate with a role and drag the user onto the role (Roles panel). Conversely, you can also drag the role onto the user.
The user now has the privileges commensurate with his role. To confirm, click the gear icon for the user, and select Properties. Or, click the gear icon for the role and view the Active Users and Groups.

Disassociating users from roles

You disable a user's ability to perform a given function by disassociating roles (sets of privileges) from that user.
  1. Log in to the BIG-IQ system and click BIG-IQ System > Access Control > Roles.
  2. In the Roles panel, hover over the role that contains the user you want to disassociate, click the gear icon, and select Properties.
  3. To the right of Active Users and Groups, view the list of users and groups associated with the role.
  4. Click the X next to the user or group that you want to disassociate from the role.
  5. Click Save.
The user is now disassociated from the role, and no longer has the privileges associated with the role.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)