Manual Chapter : Role-Based User Access

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 6.1.0
Manual Chapter

Role-Based User Access

Limit a user's access to BIG-IP devices based on their role

BIG-IQ Centralized Management gives you the tools you need to customize user access to managed devices by letting you assign role-based access based on job responsibilities. When you associate a role with a user (or a group of users), they have access only to the areas within BIG-IQ that you explicitly grant.

Assigning more than one role to a user

The responsibilities and roles each of your users has probably depends on the number of people who have access to BIG-IQ.

For example, if you have only two people managing your devices from BIG-IQ, they both most likely need to have full access to all aspects of BIG-IQ at one time or another. For these users, you'd assign them both the Administrator role.

Assigning more granular/specialized privileges to a user

On the other hand, if you're working for a larger company that has specialized roles to manage different services, or different parts of services, you can provide more granular access.

For example, if you have two people who manage BIG-IP devices used only for network security purposes, you could assign them both the role of Network Security Manager. Or, if you have two people managing devices used for network security, but you want only one of them to write and edit policies, and the other to (only) deploy the policies, you could assign the first person the Network Security Editor role, and the other person the Network Security Deployer role. In this case, the person with the Network Security Editor role can only create, view, and edit policies, but not deploy them. The person assigned to the Network Security Deployer can view and deploy policies, but cannot create or edit them.

About built-in and custom roles

You can assign role-based user access one of two ways:

  • Built-in user roles - BIG-IQ ships with several built-in user roles that correlate to common job responsibilities. These roles are aligned with duties associated with applications and services. Use these built-in roles to quickly assign users with permissions to access the BIG-IP objects they need to do their job.
  • Custom roles - You can create a custom role to grant access to users in a way that fits your own business needs. When you create a role you can provide specific permissions to as many BIG-IP objects as needed, even across multiple services. Like built-in roles, you align them with duties associated with applications and services.

Built-in roles shipped with BIG-IQ

As a system manager, you'll need a way to limit a user's access to certain areas of F5 BIG-IQ Centralized Management and to its managed devices. The easiest way to do this is to base user access on the responsibilities, or role, that the user has in your company. To help you do that, BIG-IQ ships with a set of built-in roles (associated with a role type) with certain privileges that you can assign to specific users. Since responsibilities and duties for certain roles are specialized, users assigned to some roles have access to only specific parts of BIG-IQ. These restrictions are outlined in the role description.

Role This role can:
Administrator Perform all tasks for setting up and maintaining BIG-IQ and managing devices. This includes discovering devices, adding individual users, assigning roles, installing updates, activating licenses, and so forth.
Access Auditor Only view Access configuration objects and managed Access devices. This role cannot edit, discover, or deploy devices or policies.
Access Deployer Deploy Access configuration objects. This role cannot discover and edit devices or policies.
Access Editor View and edit Access configuration objects, including the ability to add, update, and delete pools and pool members from the Access configuration object editor. This role cannot discover or deploy devices or policies.
Access Manager Deploy and edit Access configuration objects, and view the Access Reporting and dashboard. This role cannot add or remove devices and device groups, and cannot discover, import, or delete services.
Access Viewer Only view Access configuration objects and discovered Access devices. This role cannot edit, discover, or deploy devices or policies.
Application Editor View Local Traffic & Network objects, and create, view, and modify applications through Service Catalog templates.
Application Template Viewer Only view application templates and service scaling group objects.
Device Manager Perform all tasks for device management, including device discovery, licensing, software image management, and UCS backups.
Device Viewer Only view aspects of device management including device discovery, licensing, software image management, and UCS backups.
DNS Deployer View and deploy DNS configuration objects.
DNS Editor Create, view, modify, and delete DNS configuration objects.
DNS Manager Perform all tasks for managing DNS, including creating, viewing, modifying, and deleting DNS objects.
DNS Viewer Only view aspects of device management associated with DNS.
Fraud Protection Deployer View and deploy Fraud Protection Service objects.
Fraud Protection Editor View and edit Fraud Protection Service objects.
Fraud Protection Manager Perform all tasks for managing the Fraud Protection Service functionality.
Fraud Protection Viewer Only view Fraud Protection Service objects.
License Manager Perform all tasks related to BIG-IP licensing.
Local Traffic & Network Deployer View and deploy Local Traffic & Network configuration objects for managed Local Traffic & Network devices.
Local Traffic & Network Editor Create, view, modify, and delete Local Traffic & Network configuration objects.
Local Traffic & Network Manager Perform all tasks for managing Local Traffic & Network, including creating, viewing, modifying, and deleting Local Traffic & Network objects.
Local Traffic & Network Viewer Only view Local Traffic & Network objects.
Network Security Deployer View and deploy Network Security objects.
Network Security Editor Create, view, modify, and delete Network Security objects.
Network Security Manager Perform all tasks associated with Network Security, including areas involved in creating, viewing, modifying, and deleting shared and firewall-specific security objects.
Network Security Viewer Only view Network Security firewall objects. This role cannot edit, discover, or deploy devices or policies.
Pool Member Operator Enable, disable, or force offline pool members for all pools. To limit access to select pools, create a custom resource group and role based on the Pool Member Operator type.
Security Manager Perform all tasks associated with Network Security, Web Application Security, and Fraud Protection Service, including areas involved in device discovery, creating, viewing, modifying, and deleting Web Application Security, shared and firewall-specific security objects.
Service Catalog Editor View Local Traffic & Network objects and create, view, modify, and delete Service Catalog templates.
Service Catalog Viewer Only view Local Traffic & Network objects and Service Catalog templates.
Trust Discovery Import Manage device trust establishment, service discovery, service import, removal of services and removal of trust.
Virtual Server Operator Enable or disable all virtual servers. To limit access to select virtual servers, create a custom resource and role based on the Virtual Server Operator role type.
Web App Security Deployer View and deploy Web Application Security and shared security configuration objects for Web Application Security devices.
Web App Security Editor Create, view, modify, and delete Web Application Security and shared security configuration objects.
Web App Security Manager Create, view, modify, delete and deploy Web Application Security and shared security configuration objects.
Web App Security Viewer Only view Web Application Security and shared security configuration objects.
Only view Application Templates and Service Scaling Group objects.
Only view Application Templates and Service Scaling Group objects.

Add a user and assign them a built-in role

If you want to authentication users with an LDAP, RADIUS, or TACACS+ server, you must first configure that before adding a user.
Once you understand exactly who you want to perform certain tasks, you can provide them access to particular areas of F5 BIG-IQ Centralized Management by adding them as a user and assigning the appropriate standardized role. You can assign as many roles as required to cover the user's responsibilities.
Important: Since some roles have access only to certain areas or screens in the BIG-IQ user interface, it's important to communicate that to the user. When you assign a role to a user, be sure you outline the responsibilities and restrictions for their role. Clarifying this helps avoid any potential confusion. Also note,these roles do not have access to the global search functionality: Network Security Manager, Network Security Edit, Network Security View, and Trust Discovery Import.
  1. At the top of the screen, click System.
  2. On the left, click USER MANAGEMENT > Users .
  3. Click the Add button.
  4. From the Auth Provider list, select the authentication method you want to use for this user.
    Important: A user must belong to an LDAP group or have an assigned BIG-IQ role, or authentication will fail.
  5. In the User Name field, type the name for this user.
  6. In the Password and Confirm Password fields, type the password for this new user.
    You can change the password any time.
  7. To associate this user with an existing user group, select the group from the User Groups list.
    You aren't required to associate a user group at this point; you can do that later if you want. If you want to associate another user group with this user, click +.
  8. For the Roles setting, from the Available list, select each user role you want to associate with this user, and move it to the Selected list.
    Important: Be sure to let your users know that their access to certain parts of the BIG-IQ user interface depends on which role they are assigned.
  9. Click the Save & Close button.
This user now has the privileges associated with the role(s) you selected and BIG-IQ will authenticate this user locally
You can now tell this user how their BIG-IQ access aligns with their responsibilities. Make sure they understand they might not see every screen you or one of their peers does. Also let them know that if they try to log in more than 5 times in 5 minutes with the wrong user name and/or password, they might get the following error: Maximum number of login attempts exceeded. If that happens, the user must wait 5 minutes before trying to log back in.
Note: If your BIG-IQ is in an HA pair, you must synchronize this change by refreshing the secondary BIG-IQ.

Custom roles based on job responsibilities

BIG-IQ Centralized Management makes it easy for you to give users specific permissions for access only to those BIG-IP objects they need to do their job. Role-based access allows you to create a custom role with specific privileges to view or edit only those BIG-IP objects (resources) you explicitly assign to the role.

There are several built-in roles shipped with BIG-IQ, but there might be a reason you want to give a person permissions to interact only in a clearly defined way with specific resources. To do that, you need to add each of the following to BIG-IQ:

  1. Custom role type - Select a one or more services and define a set of permissions (read, add, edit, delete) for interacting with the objects associated with selected services.
  2. Custom resource group - Select the specific type of resources you want to provide a user access to—for example, BIG-IP virtual servers.
  3. Custom role - Associate this custom role with the custom role type and resource group you created, to combine the permissions you specified in the custom role type with the resources you defined for the custom resource group.
  4. Custom user - Associate this user with the custom role you created to provide that person access and permissions to the resources you specified.

Create a custom role type with permissions to specific BIG-IP object types

Creating a custom role type is the first step to providing custom role-based access to users.
  1. At the top of the screen, click System.
  2. On the left, click ROLE MANAGEMENT > Role Types .
  3. Near the top of the screen, click the Add button.
  4. In the Name field, type a name to identify this new role type.
    A description is optional.
  5. From the Services list, select each service you want to associate with this role type, then scroll through the Object Type list and select the check box next to each object type you want to provide access to.
    Note: You might have to horizontally re-size your screen so you can see all the objects you need to see.
  6. After you've finished adding objects, for each object type, select the check box beneath the permissions you want to grant for this role type.
  7. Click the Save & Close button.

Create a custom resource group

Create a resource group with all of the BIG-IP objects you want to provide access to, and assign a role type to it.


  1. At the top of the screen, click System.
  2. On the left, click ROLE MANAGEMENT > Resource Groups .
  3. Near the top of the screen, click the Add button.
  4. In the Name field, type a name to identify this group of resources.
  5. From the Role Type list, select the role type you want to provide access to for this group of resources.
  6. From the Select Service list, select the service(s) you want to provide access to for this group of resources.
  7. From the Object Type list, select the type of object you want to add to this group of resources.
  8. For the Source setting:
    • Selected Instances - Select this option to put only the source objects you selected into this resource group. If you select this option, the associated role will not have access to any new objects of the same type added in the future unless you explicitly add it to this resource group.
    • Any Instances - Select this option if you want to add any objects of the same type created in the future to this resources group. If you select this option, any new object of the same type added in the future will be assigned to this resource group, and access to those new resources will automatically be given to the associated role type.
  9. Select the check box next to the name of each object you want to add to this group of resources, and click the Add Selected button.
    Tip: You might have to horizontally re-size your screen so you can see all the objects you need to see.
  10. Click the Save & Close button.
Now you can associate this role type and resource group to a role.

Add new custom role

In addition to the built-in roles that ship with BIG-IQ, you can create a custom role with specific privileges to particular areas of BIG-IQ and BIG-IP devices.

  1. At the top of the screen, click System.
  2. On the left, click ROLE MANAGEMENT > Roles .
  3. On the left, click CUSTOM ROLES > Service Roles
  4. Click the Add button.
  5. In the Name field, type a name to identify this new role.
  6. From the Role Type list, select the kind of role you want to add.
  7. For the Role Mode setting, select an option.
    • Relaxed Mode – If you select this option, the role can view and manage all objects you've given explicit permission to, and it can see (but won't be able to manage) related objects for associated services.
    • Strict Mode – If you select this option, this role can view and manage only the specific objects you’ve given explicit permission to.
  8. Add the Resource Groups and Active Users and Groups as needed.
  9. To view the type of user access granted for the resource groups associated with this role, click the View Permissions button.
  10. Click the Save & Close button.

Remove a BIG-IQ user from a role

If a job or responsibilities change for an employee, you can use this procedure to disassociate that BIG-IQ user from an assigned role.
  1. At the top of the screen, click System.
  2. On the left, click USER MANAGEMENT > Users .
  3. On the Users inventory list, click the name of the user.
    The screen refreshes to display the properties for this user.
  4. From the User Roles list, select the user role to disassociate from this user and click the X.
    The selected user role is removed from the list of privileges assigned to this user.
  5. Click the Save & Close button.
This user no longer has the privileges associated with the role you deleted.

Synchronize new users and user groups with secondary BIG-IQ

You must configure two BIG-IQ Centralized Management systems in a high availability (HA) pair before you can synchronize users and user groups with a secondary BIG-IQ
Users and user groups are handled differently than other data that's synchronized between BIG-IQ systems in an HA pair. For that reason, you must refresh the secondary BIG-IQ system in an HA pair after you add a new user or user group. Refresh the secondary BIG-IQ system so new users and user groups can successfully log in to the secondary system.
  1. At the top of the screen, click System.
  2. On the left, click BIG-IQ HA.
  3. At the top of the screen, click the BIG-IQ HA Settings button.
  4. Click the Log Out and Refresh button.
  5. Click OK, then Log Out.
    BIG-IQ logs you out of the system.
You should now be able to log in to the secondary BIG-IQ system with the new user and/or user group you added.