system includes a powerful authorization feature known as administrative partitions. Using the administrative partitions
feature, you ensure that BIG-IP system grants administrative users exactly the right type and amount of access to BIG-IP system resources. As a result, you can tailor user access to resources to exactly fit the needs of your organization.
| || |Partitions
represent containers for BIG-IP system objects. You can use partitions to limit user access to certain objects. For more information on partitions, see the TMOSTM Management Guide for BIG-IP Systems
| || |User accounts
grant administrative access to the BIG-IP system. The properties that you set on a user account determine that users permissions for administering BIG-IP system resources. For more information on user accounts, see the TMOSTM Management Guide for BIG-IP Systems
| || |User roles
One of the properties that you set on a user account is the user role. A user role
determines that users permissions, that is, the specific objects that the user can access and the tasks that the user can perform. The user roles that you can assign to a user account are: Administrator
, Resource Administrator
, User Manager
, Application Editor
, Application Security Policy Editor
, or Guest
.You can also specify that a user account has no access to system resources. For descriptions of these user roles, see the TMOSTM Management Guide for BIG-IP Systems
| || |BIG-IP system objects
BIG-IP system objects
are the entities that you can manage on the BIG-IP system. Examples of objects that you can place into partitions are pools, virtual servers, and profiles. When objects reside in partitions, you can control the type and amount of administrative user access to those objects. Most local traffic objects, as well as user accounts, can reside in partitions. For descriptions of local traffic objects, see the Configuration Guide for BIG-IP® Local Traffic Manager
By combining all of these components, you can finely-tune administrative
access to many of your BIG-IP system resources. This chapter describes the procedure for configuring the administration partitions feature on the BIG-IP system.
When you first install the BIG-IP system, a default partition exists, known
as partition Common
. Partition Common
contains certain objects that the system automatically creates during installation, such as the admin
user account, the default profiles, and the pre-configured health and performance monitors.
Some types of BIG-IP system objects reside in partitions, while others do
not. In general, most local-traffic objects reside in partitions. Network objects, such as self IP addresses, VLANs, interfaces, and so on, cannot reside in partitions.
At a minimum, most BIG-IP system user accounts have Read access to
objects in partition Common
, regardless of their user roles. User accounts that have the Administrator
and Resource Administrator
roles assigned to them not only can view the objects in Common
, but also can create, modify, and delete objects in that partition.
While managing partition Common
is useful as a starting point for controlling user access to BIG-IP system objects, creating other partitions offers a much finer degree of access control for administrative users.
The first step in giving a user the authority to manage objects in a specific
partition is to create the partition. Once you have created the partition, you choose the user that you want to manage the objects in the new partition. Finally, you modify the properties of that users account, to assign both the appropriate user role and the partition that you want to authorize the user to manage. Once you have granted authority to the user to manage the partition, the user can then manage those objects in certain ways, such as creating HTTP virtual servers and profiles, within that partition.
Important: To create a partition, you must have the Administrator
or Resource Administrator
user role assigned to your user account. For the admin
account, the BIG-IP system automatically assigns the Administrator
| |In the Name
box, type a unique name for the partition, such as partition_App1
| |In the Description
box, type a description of the partition, for example, This partition contains objects for managing traffic for the App1 application.
The next step, after you create the partition, is to assign a user role to a user
account and give that user authority to manage the new partition. The level of authority that the user has is determined by the user role you assign to the user account. For example:
| || |If you assign a user role of Manager
to the user account, the user can perform all tasks related to the objects (except user account objects) in the relevant partition, such as creating, modifying, or deleting those objects.
| || |If you assign a user role of Operator
to the account, the user is restricted to enabling and disabling the nodes and pool members that reside in the assigned partition.
| || |If you assign a user role of Guest
to the account, the user can only view the objects in the partition. The user cannot create, modify, or delete any objects in the assigned partition.
You can configure user access to a partition either when you first create the
user account or when you modify the user account properties. The following procedure shows how to configure partition access to an existing user account.
| |From the Partition Access
list, select a partition name.
You can select a single partition name, or All
For user accounts to which you assign the Administrator
role, this value is automatically set to All
It is important to understand what happens when an administrative user logs
into the BIG-IP system and attempts to view, manage, or create BIG-IP system objects.
Once you have assigned user roles and partitions to user accounts, the users
see only those objects on the BIG-IP system to which they have been granted access. They can view only those objects, and no others.
For example, suppose user Jane Smith logs into the system with her user
), and she has the role of Manager
and is authorized to manage partition A
. In this case, she sees and can manage all objects contained in partition A (
excluding user account objects), and she can see objects in partition Common
. She has no access to other objects on the system.
For example, if she uses the Configuration utility to view a list of virtual
servers on the system, she sees and can manage virtual servers contained in partition A
, and she can see any virtual servers in partition Common
Similarly, if she views the list of pools, she sees and can manage those pools
contained in partition A
, and she can see any pools in partition Common
(if any), and so on. She has no access (either Read or Write access) to objects in other partitions.
By contrast, a user with a role such as Administrator
can see and manage all objects on the system, regardless of the partition in which the objects reside. Users with this type of role can also actively select a specific partition to view and manage.
When a BIG-IP system user has a user role that grants the authority to create
objects on the BIG-IP system in a specific partition, the object that the user creates automatically resides in the partition that the user is authorized to manage.
For example, suppose that Barry Jones has the user account bjones
, and this user account is authorized to manage partition B
. When Barry logs into the BIG-IP system using the bjones
account, any object that he creates automatically resides in partition B
Conversely, if a user with a role that does not allow object creation (such as
role) is logged into the system, no Create
buttons appear on the Configuration utility screens.
If the logged-in user has universal access (such as a user with the Administrator
role), the user can actively select the partition in which to view, manage, or create a BIG-IP system object.