How to: Assign standard roles to users

You can customize user access to managed BIG-IP Next instances and application services by assigning role-based access based on job responsibilities. When you associate a role with a user (or a group of users), they have access only to areas of managed BIG-IP Next instances that you explicitly grant.

About assigning roles to a user

The responsibilities and roles of each of your users depends on the number of people who have access to BIG-IP Next Central Manager and managed BIG-IP Next instances. For example, if you have only two people managing BIG-IP Next Central Manager itself and all of your BIG-IP Next instances, they both would need to have full access to all aspects of both at one time or another. For these users, you’d assign them the Administrator role.

About assigning granular/specialized privileges to a user

On the other hand, if you’re working for a larger company that has specialized roles to manage different services, or different parts of services, you can provide more granular access. For example, if you have two people who manage BIG-IP Next instances; one who manages certificates and another only manages applications, you could assign the role of Certificate Manager and Application Manager respectively. In addition, a single user can be assigned mulitple user roles, as necessary to their required access privileges.

Role Privileges
Administrator Full permission to create, view, update, and delete all objects and configurations on BIG-IP Next Central Manager and managed BIG-IP Next instances.
Instance Manager Full permissions to manage BIG-IP Next instances including onboarding, instance discovers, creating backups, upgrading, licensing, and creating QKView reports.
Application Manager Full permissions to create, view, update, and delete all objects associated with Applications, iRules, and migrations.

Read-only permissions for all Application referenced objects (such as WAF policies, Access Policies,SSLO, and Certificates), Application-related events, traffic logs, and audit logs, Application-related alerts and notifications, and BIG-IP Next instances on the My Instances screen.
Certificate Manager Full permission to create, view, update, and delete all objects associated with Certificates and Keys.
Security Manager Full permission to create, view read, update, and delete all objects associated with WAF, Access, and SSLO.
Auditor Read-only access for BIG-IP Next Central Manager.

Procedure

Use the following procedure to assign a user to a role. You can assign multiple roles to a single user.

  1. Log in to BIG-IP Next Central Manager.

  2. Click the Workspace icon next to the F5 logo and then click System.

  3. On the left, click Users.

  4. Click the + Add button at the right.
    The New User panel opens.

  5. Enter a Username and optional Display Name and Email Address.

  6. Select Standard Role and the role you want to assign to this user.

  7. Enter and confirm a Password.

  8. Click the Add User button.

Prerequisite

Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API.

To configure local users, use following Central Manager APIs:

  1. Create local users with required roles such as administrator role or standard role, by sending a POST request to /system/v1/users endpoint. Identify the user ID to use in subsequent requests.

    POST https://{{cm_mgmt_ip}}/api/system/v1/users
    

    For the request payload, use the following example, modifying the values as required.
    role_type: Add the role type as Administrator or Standard role as per the requirement.
    For a local user, provider_type and provider_name must be Local.

    {
        "username": "{{local_user_1}}",
        "password": "{{temp_local_user_1_password}}",
        "role_type": "Administrator",
        "provider_type": "Local",
        "provider_name": "Local"
    }
    
  2. Optional: Retrieve the list of available roles by sending a GET request to /system/v1/roles endpoint.

    GET https://{{cm_mgmt_ip}}/api/system/v1/roles
    
  3. Assign a role to the user by sending a POST request to /system/v1/users/{id}/roles endpoint.

    POST https://{{cm_mgmt_ip}}/api/system/v1/users/{id}/roles
    

    For the request payload, use the following example, modifying the values as required:

    {
        "role_ids": [
            "{{role-id}}"
        ]
    }
    
  4. Retrieve the list of users with their IDs by sending the GET request to system/v1/users endpoint. Identify the user IDs that help in operations like delete user.

    GET https://{{cm_mgmt_ip}}/api/system/v1/users
    
  5. Retrieve the ID of specific user by sending the GET request to system/v1/users?filter=username+eq+%27{{username}}%27 endpoint.

    GET https://{{cm_mgmt_ip}}/api/system/v1/users?filter=username+eq+%27{{username}}%27
    
  6. Modify an existing user role to another role by sending the POST request to /system/v1/users/{user-id}/roles endpoint.

    POST https://{{cm_mgmt_ip}}/api/system/v1/users/{user-id}/roles
    

    For the request payload, use the following example, modifying the values as required.
    role_ids: Change the role ids as per the requirement. If you want a user to have multiple roles, add the roles separated by a comma.

    {
        "role_ids": [
            "{{role-id1}}", "{{role-id2}}"
        ]
    }
    
  7. Logout a user by sending the POST request to /api/logout endpoint.

    POST https://{{cm_mgmt_ip}}/api/logout
    
  8. Delete a specific user by sending the DELETE request to api/system/v1/users/{id} endpoint.

    DELETE https://{{cm_mgmt_ip}}/api/system/v1/users/{id}
    

    Note: To delete the user, logout from the user role and log in to the administrator role.