Manual Chapter : Role-based Authorization Concepts in BIG-IQ

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 6.0.1
Manual Chapter

Role-based Authorization Concepts in BIG-IQ

About role-based authorization

Role-based authorization is a powerful tool that provides you with different levels of permission for various roles in your environment. In the BIG-IQ® Centralized Management system, you can use both the provided built-in roles, and also create your own custom roles.

About built-in and custom roles

You can assign role-based user access one of two ways:

  • Built-in user roles - BIG-IQ ships with several built-in user roles that correlate to common job responsibilities. These roles are aligned with duties associated with applications and services. Use these built-in roles to quickly assign users with permissions to access the BIG-IP objects they need to do their job.
  • Custom roles - You can create a custom role to grant access to users in a way that fits your own business needs. When you create a role you can provide specific permissions to as many BIG-IP objects as needed, even across multiple services. Like built-in roles, you align them with duties associated with applications and services.

Built-in roles shipped with BIG-IQ

As a system manager, you'll need a way to limit a user's access to certain areas of F5 BIG-IQ Centralized Management and to its managed devices. The easiest way to do this is to base user access on the responsibilities, or role, that the user has in your company. To help you do that, BIG-IQ ships with a set of built-in roles (associated with a role type) with certain privileges that you can assign to specific users. Since responsibilities and duties for certain roles are specialized, users assigned to some roles have access to only specific parts of BIG-IQ. These restrictions are outlined in the role description.

Role This role can:
Administrator Perform all tasks for setting up and maintaining BIG-IQ and managing devices. This includes discovering devices, adding individual users, assigning roles, installing updates, activating licenses, and so forth.
Access Auditor Only view Access configuration objects and managed Access devices. This role cannot edit, discover, or deploy devices or policies.
Access Deployer Deploy Access configuration objects. This role cannot discover and edit devices or policies.
Access Editor View and edit Access configuration objects, including the ability to add, update, and delete pools and pool members from the Access configuration object editor. This role cannot discover or deploy devices or policies.
Access Manager Deploy and edit Access configuration objects, and view the Access Reporting and dashboard. This role cannot add or remove devices and device groups, and cannot discover, import, or delete services.
Access Viewer Only view Access configuration objects and discovered Access devices. This role cannot edit, discover, or deploy devices or policies.
Application Editor View Local Traffic & Network objects, and create, view, and modify applications through Service Catalog templates.
Application Template Viewer Only view application templates and service scaling group objects.
Device Manager Perform all tasks for device management, including device discovery, licensing, software image management, and UCS backups.
Device Viewer Only view aspects of device management including device discovery, licensing, software image management, and UCS backups.
DNS Deployer View and deploy DNS configuration objects.
DNS Editor Create, view, modify, and delete DNS configuration objects.
DNS Manager Perform all tasks for managing DNS, including creating, viewing, modifying, and deleting DNS objects.
DNS Viewer Only view aspects of device management associated with DNS.
Fraud Protection Deployer View and deploy Fraud Protection Service objects.
Fraud Protection Editor View and edit Fraud Protection Service objects.
Fraud Protection Manager Perform all tasks for managing the Fraud Protection Service functionality.
Fraud Protection Viewer Only view Fraud Protection Service objects.
License Manager Perform all tasks related to BIG-IP licensing.
Local Traffic & Network Deployer View and deploy Local Traffic & Network configuration objects for managed Local Traffic & Network devices.
Local Traffic & Network Editor Create, view, modify, and delete Local Traffic & Network configuration objects.
Local Traffic & Network Manager Perform all tasks for managing Local Traffic & Network, including creating, viewing, modifying, and deleting Local Traffic & Network objects.
Local Traffic & Network Viewer Only view Local Traffic & Network objects.
Network Security Deployer View and deploy Network Security objects.
Network Security Editor Create, view, modify, and delete Network Security objects.
Network Security Manager Perform all tasks associated with Network Security, including areas involved in creating, viewing, modifying, and deleting shared and firewall-specific security objects.
Network Security Viewer Only view Network Security firewall objects. This role cannot edit, discover, or deploy devices or policies.
Pool Member Operator Enable, disable, or force offline pool members for all pools. To limit access to select pools, create a custom resource group and role based on the Pool Member Operator type.
Security Manager Perform all tasks associated with Network Security, Web Application Security, and Fraud Protection Service, including areas involved in device discovery, creating, viewing, modifying, and deleting Web Application Security, shared and firewall-specific security objects.
Service Catalog Editor View Local Traffic & Network objects and create, view, modify, and delete Service Catalog templates.
Service Catalog Viewer Only view Local Traffic & Network objects and Service Catalog templates.
Trust Discovery Import Manage device trust establishment, service discovery, service import, removal of services and removal of trust.
Virtual Server Operator Enable or disable all virtual servers. To limit access to select virtual servers, create a custom resource and role based on the Virtual Server Operator role type.
Web App Security Deployer View and deploy Web Application Security and shared security configuration objects for Web Application Security devices.
Web App Security Editor Create, view, modify, and delete Web Application Security and shared security configuration objects.
Web App Security Manager Create, view, modify, delete and deploy Web Application Security and shared security configuration objects.
Web App Security Viewer Only view Web Application Security and shared security configuration objects.
Only view Application Templates and Service Scaling Group objects.
Only view Application Templates and Service Scaling Group objects.

Custom roles based on job responsibilities

BIG-IQ Centralized Management makes it easy for you to give users specific permissions for access only to those BIG-IP objects they need to do their job. Role-based access allows you to create a custom role with specific privileges to view or edit only those BIG-IP objects (resources) you explicitly assign to the role.

There are several built-in roles shipped with BIG-IQ, but there might be a reason you want to give a person permissions to interact only in a clearly defined way with specific resources. To do that, you need to add each of the following to BIG-IQ:

  1. Custom role type - Select a one or more services and define a set of permissions (read, add, edit, delete) for interacting with the objects associated with selected services.
  2. Custom resource group - Select the specific type of resources you want to provide a user access to—for example, BIG-IP virtual servers.
  3. Custom role - Associate this custom role with the custom role type and resource group you created, to combine the permissions you specified in the custom role type with the resources you defined for the custom resource group.
  4. Custom user - Associate this user with the custom role you created to provide that person access and permissions to the resources you specified.