How to: Assign standard roles to users

You can customize user access to managed BIG-IP Next instances and application services by assigning role-based access based on job responsibilities. When you associate a role with a user (or a group of users), they have access only to areas of managed BIG-IP Next instances that you explicitly grant.

About assigning granular/specialized privileges to a user

On the other hand, if you’re working for a larger company that has specialized roles to manage different services, or different parts of services, you can provide more granular access. For example, if you have two people who manage BIG-IP Next instances; one who manages certificates and another only manages applications, you could assign the role of Certificate Manager and Application Manager respectively. In addition, a single user can be assigned mulitple user roles, as necessary to their required access privileges.

Role Privileges
Administrator Full permission to create, view, update, and delete all objects and configurations on BIG-IP Next Central Manager and managed BIG-IP Next instances.
Instance Manager Full permissions to manage BIG-IP Next instances including onboarding, instance discovers, creating backups, upgrading, licensing, and creating QKView reports.
Application Manager Full permissions to create, view, update, and delete all objects associated with Applications, iRules, and migrations.

Read-only permissions for all Application referenced objects (such as WAF policies, Access Policies,SSLO, and Certificates), Application-related events, traffic logs, and audit logs, Application-related alerts and notifications, and BIG-IP Next instances on the My Instances screen.
Certificate Manager Full permission to create, view, update, and delete all objects associated with Certificates and Keys.
Security Manager Full permission to create, view read, update, and delete all objects associated with WAF, Access, and SSLO.
Auditor Read-only access for BIG-IP Next Central Manager.

Procedure

Use the following procedure to assign a user to a role. You can assign multiple roles to a single user.

  1. Log in to BIG-IP Next Central Manager.

  2. Click the Workspace icon next to the F5 logo and then click System.

  3. On the left, click Users.

  4. Click the + Add button at the right.
    The New User panel opens.

  5. Enter a Username and optional Display Name and Email Address. Including an email address is recommended for password recovery.

    Note: A username should be created using a combination of uppercase letters (A-Z), lowercase letters (a-z), and numbers (0-9) to enable the debug utility. Although the following are allowed, avoid using them as they will impact enabling the debug utility:

    • underscores (_), dashes (-) or dots (.).

    • starting the username with an uppercase letter or number.

  6. Select Standard Role and the role you want to assign to this user.

  7. Enter and confirm a Password.

  8. Click the Add User button.

Prerequisite

Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API.

To configure local users, use following Central Manager APIs:

  1. Create local users with required roles such as administrator role or standard role, by sending a POST request to /system/v1/users endpoint. Identify the user ID to use in subsequent requests.

    POST https://{{cm_mgmt_ip}}/api/system/v1/users
    

    For the request payload, use the following example, modifying the values as required.

    username: A username should be created using a combination of uppercase letters (A-Z), lowercase letters (a-z), and numbers (0-9) to enable the debug utility. Although the following are allowed, avoid using them as they will impact enabling the debug utility:

    • underscores (_), dashes (-) or dots (.).

    • starting the username with an uppercase letter or number.

    role_type: Add the role type as Administrator or Standard role as per the requirement.

    For a local user, provider_type and provider_name must be Local.

    {
        "username": "{{local_user_1}}",
        "password": "{{temp_local_user_1_password}}",
        "role_type": "Administrator",
        "provider_type": "Local",
        "provider_name": "Local"
    }
    

    For more information about creating users using BIG-IP Next Central Manager APIs, see OpenAPI documentation.

  2. Optional: Retrieve the list of available roles by sending a GET request to /system/v1/roles endpoint.

    GET https://{{cm_mgmt_ip}}/api/system/v1/roles
    

    For more information about retrieving the list of roles using BIG-IP Next Central Manager APIs, see OpenAPI documentation.

  3. Assign a role to the user by sending a POST request to /system/v1/users/{id}/roles endpoint.

    POST https://{{cm_mgmt_ip}}/api/system/v1/users/{id}/roles
    

    For the request payload, use the following example, modifying the values as required:

    {
        "role_ids": [
            "{{role-id}}"
        ]
    }
    

    For more information about assigning roles to users using BIG-IP Next Central Manager APIs, see OpenAPI documentation.

  4. Retrieve the list of users with their IDs by sending the GET request to system/v1/users endpoint. Identify the user IDs that help in operations like delete user.

    GET https://{{cm_mgmt_ip}}/api/system/v1/users
    

    For more information about getting the users list using BIG-IP Next Central Manager APIs, see OpenAPI documentation.

  5. Retrieve the ID of specific user by sending the GET request to system/v1/users?filter=username+eq+%27{{username}}%27 endpoint.

    GET https://{{cm_mgmt_ip}}/api/system/v1/users?filter=username+eq+%27{{username}}%27
    

    For more information about retrieving the specific user ID, see OpenAPI documentation.

  6. Modify an existing user role to another role by sending the POST request to /system/v1/users/{user-id}/roles endpoint.

    POST https://{{cm_mgmt_ip}}/api/system/v1/users/{user-id}/roles
    

    For the request payload, use the following example, modifying the values as required.
    role_ids: Change the role ids as per the requirement. If you want a user to have multiple roles, add the roles separated by a comma.

    {
        "role_ids": [
            "{{role-id1}}", "{{role-id2}}"
        ]
    }
    

    For more information about modifying roles to users using BIG-IP Next Central Manager APIs, see OpenAPI documentation.

  7. Logout a user by sending the POST request to /api/logout endpoint.

    POST https://{{cm_mgmt_ip}}/api/logout
    

    For more information about this request, see OpenAPI documentation.

  8. Delete a specific user by sending the DELETE request to api/system/v1/users/{id} endpoint.

    DELETE https://{{cm_mgmt_ip}}/api/system/v1/users/{id}
    

    Note: To delete the user, logout from the user role and log in to the administrator role.

    For more information about deleting a specific user using BIG-IP Next Central Manager APIs, see OpenAPI documentation.