Manual Chapter : User roles

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP APM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP GTM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP Analytics

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP Link Controller

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP LTM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP PEM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP AFM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP ASM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Manual Chapter

User roles

What is a user role?

A User role is a property of a BIG-IP® administrative user account. For each BIG-IP user account, you can assign a different user role to each administrative partition to which you the user has access. This allows you to assign multiple user roles to each user account on the system.

A user role controls the following:

The types of resources that the user can manage
User roles define the types of resources, or objects, that a user can manage. For example, a user with the role of Operator can enable or disable nodes and pool members only. By contrast, a user with the Guest role cannot manage any BIG-IP system resources.
The tasks that a user can perform
For example, a user with the role of Operator can enable or disable nodes and pool members, but cannot create, modify, or delete them. Conversely, a user with the Manager role can perform all tasks related to objects within a partition, except for tasks related to user accounts.

The BIG-IP system offers several different user roles that you can choose from when assigning roles to a user account. Each user role grants a different level and type of permissions to the user.

Note: You must have an Administrator or User Manager user role to assign user roles to a BIG-IP user account.

Assigning roles to a user account

Before performing this task, ensure that you have a user role of Administrator or that you have a role of User Manager for the relevant partition.

You perform this task to change the user roles that are assigned to a user account. You can assign a different role for each partition to which the user has access. By default, the user role that the BIG-IP® system assigns to a user account on each partition is No Access.

Important: If you are performing this task while the user is logged into the system through tmsh, the BIG-IP system terminates the user's tmsh session when the user subsequently issues another tmsh command. This behavior ensures that the user is notified of the change in permissions and that data integrity is maintained.
  1. Access the BIG-IP ®Configuration utility.
  2. In the upper-left corner of the screen, confirm that the Partition list is set to the partition in which the user account that you want to modify resides.
  3. On the Main tab, click System > Users .
    The BIG-IP system displays the list of user accounts that reside in the current partition and in partition Common. Note that all users except those with a user role of No Access have at least read access to partition Common.
  4. In the User Name column, click the user account name.
  5. For the Partition Access setting:
    1. From the Role list to select a user role.
    2. From the Partition list, select a partition name.
    3. Click the Add button.
      A user role pertaining to a partition now appears in the box.
    4. Repeat these steps for each partition to which you want to assign a role for this user.
    Sample partition access configuration for a BIG-IP user

    Granting partition access to a BIG-IP user account

    After you configure this setting, one or more role-partition combinations are specified for assignment to this user account.
  6. Click the Update button.

User roles on the BIG-IP system

This table lists and describes the various user roles that you can assign to a user account.

User role Description
Administrator This role grants users complete access to all objects on the system. These users can change their own passwords and cannot have any other user role on the system. Users with the Administrator role have access to all partitions on the system, and this partition access cannot be changed.
Resource Administrator This role grants users complete access to all partitioned and non-partitioned objects on the system, except user account objects. In addition, accounts with the Resource Administrator role can change their own passwords. Users with the Resource Administrator role have access to all partitions on the system, and this partition access cannot be changed.
User Manager A user with a User Manager role on all partitions (that is, with universal access) can manage user accounts in these ways:
  • Create a user account in any partition and assign roles for that user on any partition.
  • Modify a user account in any partition and change the existing roles for that user on any partitions.
  • View all user accounts.
  • Modify the password on any user account.
  • Enable or disable terminal access for any user account.
  • Change his or her own password.

A user with a User Manager role on a specific partition can manage user accounts in the same way as above except that all actions are restricted to the specific partition to which the user manager has access. Therefore the user manager cannot change any user's role that is associated with another partition. For example, suppose that:

  • User mjones has the User Manager role for partition A only.
  • User account rsmith resides in Partition A.
  • User rsmith has the role of Certificate Manager on Partition A.
  • User rsmith has the role of Operator on Partition B.

In this case, user mjones can view, change, or delete rsmith's Certificate Manager role for partition A. User mjones can view rsmith's Operator role for partition B but cannot change or delete that role.

With respect to deleting user accounts in partition A, user mjones cannot delete the rsmith account because user rsmith has access to a partition other than A.

Manager This role grants users permission to create, modify, and delete virtual servers, pools, pool members, nodes, custom profiles, custom monitors, and iRules®®. These users can view all objects on the system and change their own passwords.
Certificate Manager This role grants users permission to manage device certificates and keys, as well as perform Federal Information Processing Standard (FIPS) operations.
iRule Manager This role grants users permission to create, modify, and delete iRules. Users with this role cannot affect the way that an iRule is deployed. For example, a user with this role can create an iRule but cannot assign it to a virtual server or move the iRule from one virtual server to another. A user with this role can be assigned universal access to administrative partitions.
Application Editor This role grants users permission to modify nodes, pools, pool members, and monitors. These users can view all objects on the system and change their own passwords.
Acceleration Policy Editor This role allows users to view, create, modify, and delete all BIG-IP Application Acceleration Manager™ policy objects in all administrative partitions. Users can also view, create, update, and delete Application Acceleration Manager profiles.
Firewall Manager This role allows users complete access to all firewall rules and supporting objects, including rules in all contexts, address lists, port lists, and schedules; security logging profiles and supporting objects, including log publishers and destinations; IP intelligence and DoS profiles; association rights for all of the above security profiles to virtual servers; and DoS Device Configuration (the L2-L4 DoS protection configuration). Firewall Managers may be granted access on all partitions or a single partition. Since global and management port rules are defined in Common, only Firewall Managers with rights on Common are allowed to modify global and management port rules. Firewall Managers have no create, update, or delete rights to any other objects, but otherwise have the same read access as the Manager role. Notably, the Firewall Manager role has no permission to create, update, or delete non-network firewall configuration, including Application Security or Protocol Security policies.
Web Application Security Administrator This role grants users access to BIG-IP Application Security Manager™ security policy objects. You can assign this role only when the BIG-IP system includes the Application Security Manager module. Users with this role have access to most objects in assigned partitions, plus Common. They can change their own passwords, but they have no access to other user accounts, ARP entries, archives, SNMP configurations displayed in the BIG-IP Configuration utility, logs, and support tools.
Application Security Editor This role grants users permission to view and configure most parts of Application Security Manager. You can assign this role only when the BIG-IP system includes the Application Security Manager module. Users with this role have access to most objects in assigned partitions, plus Common. They can change their own passwords, but they have no access to other user accounts, ARP entries, archives, SNMP configurations displayed in the BIG-IP Configuration utility, logs, and support tools.
Fraud Protection Manager This role grants users permission to configure the BIG-IP Fraud Protection Service (FPS) module.
Operator This role grants users permission to enable or disable nodes and pool members. These users can view all objects and change their own passwords.
Auditor This role grants users permission to view all configuration data on the system, including logs and archives. Users with this role cannot create, modify, or delete any data, nor can they view SSL keys or user passwords. Users with the Auditor role have access to all partitions on the system, and this partition access cannot be changed.
Guest This role grants users permission to view all objects on the system except for sensitive data such as logs and archives. Users with this role can change their own passwords.
No Access This role prevents users from accessing the system.

User roles and administrative partitions

As a BIG-IP® user with an Administrator or User Manager user role, you can assign user roles to other BIG-IP user accounts. Specifically, for each BIG-IP user account, you can assign a specific user role to each administrative partition to which you grant the user access. In this way, you can control the BIG-IP configuration objects that the user can manage, as well as the types of actions the user can perform on those objects.

Important: When a local user with multiple roles logs in to the system, the system applies the most powerful of those roles to the user and sets the current partition to the partition associated with that role. This role remains in effect until the user changes the current partition or the user logs off the system.

About universal access

When you create a BIG-IP administrative user account, you can grant the user access to all administrative partitions on the system, instead of to specific partitions only. This type of access is known as universal access. When you grant universal access to a user, you can assign only one user role, which applies to all partitions on the system for that user.

For example, if you create a user account and assign the role of Operator with the partition access set to All, the user has Operator permissions within all partitions on the system. You cannot assign any other user roles to that user account.

You can assign universal access to any user role except No Access. Moreover, certain user roles on the system automatically provide a user with universal access, and you cannot change this. The user roles that automatically and permanently provide universal access are:

  • Administrator
  • Resource Administrator
  • Web Application Security Administrator
  • Auditor
Note: When you assign the user role No Access to a user account, the role always applies to all partitions on the system.

Summary of user role considerations

When managing user roles for BIG-IP® user accounts, it is helpful to understand these system behaviors and restrictions. Some apply to all user accounts, while others apply to remote accounts only.

All user accounts

This section summarizes some high-level concepts about configuring access control for all BIG-IP user accounts, whether stored locally on the BIG-IP system or on a remote authentication server:

  • A user account can have only one user role for each administrative partition on the BIG-IP system.
  • If a user has multiple roles on the system, the user's most powerful role is applied on first login.
  • If you have an Administrator role, you can grant universal access to any user, except those that have a role of No Access.
  • A user with the role of Administrator, Resource Administrator, Application Security Administrator, or Auditor always has universal partition access (that is, access to all partitions). For these users, you cannot change this universal access.
  • A user with universal access can have only one role on the system, and the role applies to all partitions. On initial login, the user's current partition is set to Common.
  • During a user's login session, the role for the current partition is continually displayed in the upper left area of each screen of the BIG-IP Configuration utility.
  • If you change a role on a user account while the user is logged into the system through tmsh, the BIG-IP system terminates the user's tmsh session when the user subsequently issues another tmsh command.

Remote user accounts

This section summarizes some high-level concepts about configuring access control for remotely-stored BIG-IP user accounts. Specific BIG-IP system behavior with respect to granting permissions depends on the type of remote authentication server. For more detailed information, see the section titled Remote User Account Management.

  • When assigning user role-partition combinations to a single remote user group, you can specify multiple combinations to the group (that is, for the same attribute string). However, for a single user group, you cannot specify multiple roles for the same partition. Within one remote group, the BIG-IP system disallows any attempt to assign multiple roles to the same partition.
  • For a user with multi-group membership, if you assign more than one role to the same partition, the BIG-IP system chooses a role and partition for the user at login time, based primarily on the line order that you specified in the remote role configuration on the BIG-IP system.
  • If you attempt to assign multiple role-partition combinations to a user, and one of those combinations grants universal access (that is, access to all partitions), then the BIG-IP system will either disallow the universal access assignment (if configuring one user group only), or, depending on configured line order, grant universal access to the user and ignore all other role assignments for individual partitions.
  • If you are logged in to the BIG-IP system as a member of the account Other External Users ,and you modify the role of that account to a lesser role, the system modifies the user role of your own account to the lesser role also. The change occurs when you log out and log in again to the BIG-IP system.