An administrative partition is a logical container that you create, containing a defined set of BIG-IP® system objects. If you have the Administrator or User Manager user role assigned to your BIG-IP system user account, you can create administrative partitions to control other users’ access to BIG-IP objects. More specifically, when a specific set of objects resides in a partition, you can give certain users the authority to view and manage the objects in that partition only, rather than to all objects on the BIG-IP system. This gives a finer granularity of administrative control. For example, a user that is assigned access to partition A with the role of Operator on that partition can mark nodes up or down, but only in that partition. You assign user access to partitions when you configure BIG-IP system user accounts.
The following illustration shows an example of user objects within partitions on the BIG-IP system.
Sample administrative partitions on the BIG-IP system
For every administrative partition on the BIG-IP system, the system creates an equivalent high-level folder with an equivalent name.
You perform this task to create an administrative partition. An administrative partition creates an access control boundary for users and applications.
|Retain the default value.||Choose this option if you want the folder corresponding to this partition to inherit the value of the device group attribute from folder root.|
|Clear the check box and select the name of a device group.||Choose this option if you do not want the folder corresponding to this partition to inherit the value of the device group attribute from folder root.|
|Retain the default value.||Choose this option if you want the folder corresponding to this partition to inherit the value of the traffic group attribute from folder root.|
|Clear the check box and select the name of a traffic group.||Choose this option if you do not want the folder corresponding to this partition to inherit the value of the traffic group attribute from folder root.|
Partitions have a special relationship to user accounts. With respect to partitions and user accounts, you can:
During BIG-IP® system installation, the system automatically creates a partition named Common. At a minimum, this partition contains all of the BIG-IP objects that the system creates as part of the installation process. Until you create other partitions on the system, all objects that you or other users create or manage automatically reside in partition Common.
With respect to permissions, all users on the system except those with a user role of No Access have read access to objects in partition Common. When a user displays a list of a particular type of configuration object, the system displays not only the objects of that type within the user's current partition, but also the same type of object in Common. For example, if a user lists all virtual servers within the user's current partition (such as partition A), the list also shows the virtual servers in Common. In this case, unless the user has write access to Common, the virtual servers in Common are read-only for that user.
Some users, such as those with the user role of Administrator, can also create, update, and delete objects in partition Common. No user can delete partition Common itself.
The current partition is the specific partition to which the system is currently set for a logged-in user.
A user who has been granted access to one or more partitions, as well as all partitions, can actively select the current partition, that is, the specific partition he or she wants to view or manage. For example:
Certain BIG-IP® system objects, such as virtual servers, can reference other objects. Examples of objects that a virtual server can reference are pools, profiles, and iRules®. On the BIG-IP system, there are rules for object referencing with respect to the administrative partitions in which those objects reside.
The rules for valid object referencing are:
Object referencing is restricted in these ways: