Manual Chapter :
Managing Roles and Users
Applies To:
Show Versions
BIG-IQ Security
- 4.5.0
About roles
Different users have different responsibilities. As a system manager, you need a way to differentiate between users and to limit user privileges based on user responsibilities.
To assist you, the BIG-IQ system has created a default set of roles. To view the default roles, log in to BIG-IQ and navigate to the Roles panel:
Roles persist and are available after a BIG-IQ system failover.
You can associate multiple roles with a given user; for example, you can grant a user the edit (Network_Security_Edit) and the deploy (Network_Security_Deploy) roles.
- Administrator
- This role is responsible for overall management of the platform. Users with this role can add individual users, install updates, activate licenses, and configure HA and networks.This role is abbreviated in the table below as Admin.
- Network_Security_Deploy
- This role permits viewing and deploying for all firewall configuration objects for all firewall devices under management. This role also permits creation and deletion of snapshots. Users with this role cannot edit configuration objects, discover devices, or reimport devices or otherwise make changes to the working configuration of the BIG-IQ system. Also, this role does not have access to System/Overview or Networking. This role is abbreviated in the table below as Deploy.
- Network_Security_Edit
- With this role, the user can view and modify all configuration objects for all firewall devices under management, including the ability to create, modify, or delete all shared and firewall-specific objects under Network Security. Users with this role cannot edit objects under Shared Security. Users with only this role cannot deploy configuration changes to remote devices under management. Also, this role does not have access to System/Overview or Networking. This role is abbreviated in the table below as Edit.
- Network_Security_Manager
- This role encompasses the roles of Network_Security_View, Network_Security_Edit, and Network_Security_Deploy. A user logging in with this role bypasses the System panel and is logged directly into BIG-IQ Security. This role is abbreviated in the table below as NW Sec Mgr.
- Network_Security_View
- With this role, the user can view all configuration objects and tasks for all firewall devices under management. Users with this role cannot edit objects and cannot initiate a discovery or deployment task. This role is abbreviated in the table below as View.
- Security_Manager
- This role combines the privileges of Network_Security_View, Network_Security_Edit, and Network_Security_Deploy. A user logging in with this role is logged directly into BIG-IQ Security. A user logging in with this role can also access BIG-IQ Web Application Security. This role is abbreviated in the table below as Sec Mgr.
- Web_App_Security_Manager
- This role carries administrator-level rights for the BIG-IQ Web Application Security module only. This role does not appear in the following table.
About access control: features and the roles that can perform them
| Feature | View | Edit | Deploy | Sec Mgr | NW Sec Mgr | Admin |
|---|---|---|---|---|---|---|
| View policy, objects, snapshots, deployments, devices, groups | X | X | X | X | X | X |
| Create/update/delete configuration objects | X | X | X | X | ||
| Create/delete snapshots | X | X | X | X | X | |
| Compare (view differences between) snapshots | X | X | X | X | X | X |
| Restore working configuration from snapshot | X | X | X | X | ||
| Deploy from snapshot | X | X | X | X | ||
| DMA (declare management authority) | X | X | X | X | ||
| RMA (rescind management authority) | X | X | X | X | ||
| Deploy working config; create/delete deployment tasks | X | X | X | X | ||
| View audit log | X | X | X | X | X | X |
| Delete, configure audit log | X | X | ||||
| Create/update/delete device groups | X | X | X | X | ||
| Manage users | X | |||||
| Manage system | X |
About user types
By default, the BIG-IQ Network Security system provides admin as a default user type. The admin user can assign roles to users, but cannot access the command shell or system console.
User types persist and are available after a BIG-IQ system failover.
Creating user accounts
As the firewall manager, it is your responsibility to create the right set of user
accounts and associate those users with the right roles (sets of privileges). By
managing user roles, you place controls on specific functions (view,
edit, and deploy).
User accounts and roles persist and are available after a BIG-IQ system failover.
- Log in to the BIG-IQ system and click .
- Hover over the Users banner, click the + icon, and select New User.
-
Complete the fields as required.
Option Description Username Enter the user's login name. Auth Provider Accept the default of local or from the dropdown list, select the provider that supplies the credentials required for authentication. Full Name Enter the user's actual name. This field can contain a combination of symbols, letters (upper and lowercase), numbers, and spaces. Password Enter the password for this user. Confirm Password Retype the password. - Click Add to save your edits and create the user account (or click Cancel to close the panel without saving your entries).
You can now associate this user with a specific role (set of privileges).
Associating users with roles
You can control what users are able to accomplish by associating roles (sets of
privileges) with particular users.
The user now has the privileges commensurate with his role. To confirm, click the
gear icon for the user, and select Properties. Or, click the gear
icon for the role and view the Active Users and Groups.
Disassociating users from roles
You disable a user's ability to perform a given function by disassociating roles
(sets of privileges) from that user.
- Log in to the BIG-IQ system and click .
- In the Roles panel, hover over the role that contains the user you want to disassociate, click the gear icon, and select Properties.
- To the right of Active Users and Groups, view the list of users and groups associated with the role.
- Click the X next to the user or group that you want to disassociate from the role.
- Click Save.
The user is now disassociated from the role, and no longer has the privileges
associated with the role.
