User Defined ACL

Overview

This document describes the API to configure User Defined ACL and its properties in BIG-IQ.

REST Endpoint: /mgmt/cm/access/working-config/apm/acl

Requests

GET /mgmt/cm/access/working-config/apm/acl/<id>

Request Parameters

None

Query Parameters

None

Response

HTTP/1.1 200 OK

Name Type Description
aclOrder number Specify the order of this ACL relative to others.
entries array_of_objects Specify the properties of an access control entry. Layer 4 access control entries operate on the protocol layer only. For layer 4, you can configure only the protocols and addresses on which to act. Layer 7 access control entries work on the application layer.For layer 7, you can configure hosts and paths and select a URI scheme. For HTTPS connections, the system applies Layer 7 ACL entries only if the virtual server has the private key of the backend server.
     action string For Action select the action for the ACL to take when this access control entry is encountered. Allow - Allow the traffic. Continue - Skip checking the remaining entries in this ACL and continue evaluation at the next ACL. Discard - Drop the packet silently. Reject - Drop the packet and send TCP RST (on TCP flows), or proper ICMP messages (on UDP flows), or, on other protocols, silently drop the packet.Note: For HTTP traffic only, no TCP RST message is sent; instead, an ACL deny page displays.
     srcStartPort number Specify a port or range of ports. Source start port is required.
     srcEndPort number Specify a port or range of ports.
     dstStartPort number Specify a port or range of ports. Destination start port is required.
     dstEndPort number Specify a port or range of ports.
     dstSubnet string Enter the source IP address or network access and the mask for the access control entry. Destination IP address with the mask is required.
     srcSubnet string Enter the destination IP address or network address and the mask for the access control entry. Source IP address with the mask is required.
     host string This setting applies to Network Layer 7 access control entries only. Specify a host name, You can use wildcard characters. To represent one or more characters, use an asterisk (*). To represent a single character, use a question mark (?).
     log string Log options are None(Log Nothing) or Packet(Log the matched packet) when actions occur.
     paths string This setting applies to network Layer 7 access control entries only. For Paths type one or more URIs separated by spaces. You can use wildcard characters as specified for Host Name.
     protocol number This setting applies to Layer 4 access control entries only. Specify the Protocol like TCP, UDP, ICMP or all protocols to which the access control entry applies.
     scheme string This setting applies to Layer 7 access control entries only. Enter URI scheme http, https, or any on which the access control entry operates.
pathMatchCase string To consider alphabetic case when matching paths in an access control entry, in the Configuration area for Match Case For Paths, set ‘true’/’false’
type string Specifies Static or Dynamic to create a static or dynamic access control list.
name string The name of the object
partition string The BIG-IP partition where the object should be placed
subPath string The BIG-IP folder where the object should be placed
id string An ID of an application
lsoDeviceReference reference Reference to the device
     id string Id of the device.
     name string Device name. Typically it is device’s hostname.
     kind string Kind of the device.
     machineId string Machine ID of the device.
     link string URI link of the reference.
isLsoShared boolean Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations.
deviceGroupReference reference Reference to the device group.
     name string Name of the resource
     kind string The kind of the resource.
     link string URI link of the reference.
description string The description of an Application.
kind string The kind of an application.
selfLink string The selfLink of an application.

Error Response

HTTP/1.1 400 Bad Request

This response status is related to error conditions. A detailed error message displays in the response.

HTTP/1.1 401 Unauthorized

This response happens when access is denied due to invalid credentials(no Permission).

Permissions

Role Allow
Application_Editor Yes
Service_Catalog_Viewer Yes
Service_Catalog_Editor Yes
Trust_Discovery_Import Yes
Access_View Yes
Access_Edit Yes
Access_Manager Yes
Application_Manager Yes
Application_Viewer Yes
Trust_Discovery_Import Yes
Access_Deploy Yes
Access_Policy_Editor Yes

POST /mgmt/cm/access/working-config/apm/acl

Request Parameters

Name Type Required Description
aclOrder number False Specify the order of this ACL relative to others.
entries array_of_objects False Specify the properties of an access control entry. Layer 4 access control entries operate on the protocol layer only. For layer 4, you can configure only the protocols and addresses on which to act. Layer 7 access control entries work on the application layer.For layer 7, you can configure hosts and paths and select a URI scheme. For HTTPS connections, the system applies Layer 7 ACL entries only if the virtual server has the private key of the backend server.
     action string True For Action select the action for the ACL to take when this access control entry is encountered. Allow - Allow the traffic. Continue - Skip checking the remaining entries in this ACL and continue evaluation at the next ACL. Discard - Drop the packet silently. Reject - Drop the packet and send TCP RST (on TCP flows), or proper ICMP messages (on UDP flows), or, on other protocols, silently drop the packet.Note: For HTTP traffic only, no TCP RST message is sent; instead, an ACL deny page displays.
     srcStartPort number True Specify a port or range of ports. Source start port is required.
     srcEndPort number False Specify a port or range of ports.
     dstStartPort number True Specify a port or range of ports. Destination start port is required.
     dstEndPort number False Specify a port or range of ports.
     dstSubnet string True Enter the source IP address or network access and the mask for the access control entry. Destination IP address with the mask is required.
     srcSubnet string True Enter the destination IP address or network address and the mask for the access control entry. Source IP address with the mask is required.
     host string False This setting applies to Network Layer 7 access control entries only. Specify a host name, You can use wildcard characters. To represent one or more characters, use an asterisk (*). To represent a single character, use a question mark (?).
     log string False Log options are None(Log Nothing) or Packet(Log the matched packet) when actions occur.
     paths string False This setting applies to network Layer 7 access control entries only. For Paths type one or more URIs separated by spaces. You can use wildcard characters as specified for Host Name.
     protocol number False This setting applies to Layer 4 access control entries only. Specify the Protocol like TCP, UDP, ICMP or all protocols to which the access control entry applies.
     scheme string False This setting applies to Layer 7 access control entries only. Enter URI scheme http, https, or any on which the access control entry operates.
pathMatchCase string False To consider alphabetic case when matching paths in an access control entry, in the Configuration area for Match Case For Paths, set ‘true’/’false’
type string False Specifies Static or Dynamic to create a static or dynamic access control list.
name string True The name of the object
partition string True The BIG-IP partition where the object should be placed
subPath string False The BIG-IP folder where the object should be placed
lsoDeviceReference reference True Reference to the device
     id string False Id of the device.
     link string False URI link of the reference.
isLsoShared boolean True Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations.
deviceGroupReference reference False Reference to the device group.
     link string False URI link of the reference.
description string False The description of an Application.

Query Parameters

None

Response

HTTP/1.1 200 OK

Name Type Description
aclOrder number Specify the order of this ACL relative to others.
entries array_of_objects Specify the properties of an access control entry. Layer 4 access control entries operate on the protocol layer only. For layer 4, you can configure only the protocols and addresses on which to act. Layer 7 access control entries work on the application layer.For layer 7, you can configure hosts and paths and select a URI scheme. For HTTPS connections, the system applies Layer 7 ACL entries only if the virtual server has the private key of the backend server.
     action string For Action select the action for the ACL to take when this access control entry is encountered. Allow - Allow the traffic. Continue - Skip checking the remaining entries in this ACL and continue evaluation at the next ACL. Discard - Drop the packet silently. Reject - Drop the packet and send TCP RST (on TCP flows), or proper ICMP messages (on UDP flows), or, on other protocols, silently drop the packet.Note: For HTTP traffic only, no TCP RST message is sent; instead, an ACL deny page displays.
     srcStartPort number Specify a port or range of ports. Source start port is required.
     srcEndPort number Specify a port or range of ports.
     dstStartPort number Specify a port or range of ports. Destination start port is required.
     dstEndPort number Specify a port or range of ports.
     dstSubnet string Enter the source IP address or network access and the mask for the access control entry. Destination IP address with the mask is required.
     srcSubnet string Enter the destination IP address or network address and the mask for the access control entry. Source IP address with the mask is required.
     host string This setting applies to Network Layer 7 access control entries only. Specify a host name, You can use wildcard characters. To represent one or more characters, use an asterisk (*). To represent a single character, use a question mark (?).
     log string Log options are None(Log Nothing) or Packet(Log the matched packet) when actions occur.
     paths string This setting applies to network Layer 7 access control entries only. For Paths type one or more URIs separated by spaces. You can use wildcard characters as specified for Host Name.
     protocol number This setting applies to Layer 4 access control entries only. Specify the Protocol like TCP, UDP, ICMP or all protocols to which the access control entry applies.
     scheme string This setting applies to Layer 7 access control entries only. Enter URI scheme http, https, or any on which the access control entry operates.
pathMatchCase string To consider alphabetic case when matching paths in an access control entry, in the Configuration area for Match Case For Paths, set ‘true’/’false’
type string Specifies Static or Dynamic to create a static or dynamic access control list.
name string The name of the object
partition string The BIG-IP partition where the object should be placed
subPath string The BIG-IP folder where the object should be placed
id string An ID of an application
lsoDeviceReference reference Reference to the device
id string Id of the device.
     name string Device name. Typically it is device’s hostname.
     kind string Kind of the device.
     machineId string Machine ID of the device.
     link string URI link of the reference.
isLsoShared boolean Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations.
deviceGroupReference reference Reference to the device group.
     name string Name of the resource
     kind string The kind of the resource.
     link string URI link of the reference.
description string The description of an Application.
kind string The kind of an application.
selfLink string The selfLink of an application.

Error Response

HTTP/1.1 400 Bad Request

This response status is related to error conditions. A detailed error message displays in the response.

HTTP/1.1 401 Unauthorized

This response happens when access is denied due to invalid credentials(no Permission).

Permissions

Role Allow
Application_Editor No
Service_Catalog_Viewer No
Service_Catalog_Editor No
Trust_Discovery_Import No
Access_View No
Access_Edit Yes
Access_Manager Yes
Application_Manager No
Application_Viewer No
Trust_Discovery_Import No
Access_Deploy No
Access_Policy_Editor No

PUT /mgmt/cm/access/working-config/apm/acl/<id>

Request Parameters

Name Type Required Description
aclOrder number False Specify the order of this ACL relative to others.
entries array_of_objects False Specify the properties of an access control entry. Layer 4 access control entries operate on the protocol layer only. For layer 4, you can configure only the protocols and addresses on which to act. Layer 7 access control entries work on the application layer.For layer 7, you can configure hosts and paths and select a URI scheme. For HTTPS connections, the system applies Layer 7 ACL entries only if the virtual server has the private key of the backend server.
     action string False For Action select the action for the ACL to take when this access control entry is encountered. Allow - Allow the traffic. Continue - Skip checking the remaining entries in this ACL and continue evaluation at the next ACL. Discard - Drop the packet silently. Reject - Drop the packet and send TCP RST (on TCP flows), or proper ICMP messages (on UDP flows), or, on other protocols, silently drop the packet.Note: For HTTP traffic only, no TCP RST message is sent; instead, an ACL deny page displays.
     srcStartPort number False Specify a port or range of ports. Source start port is required.
     srcEndPort number False Specify a port or range of ports.
     dstStartPort number False Specify a port or range of ports. Destination start port is required.
     dstEndPort number False Specify a port or range of ports.
     dstSubnet string False Enter the source IP address or network access and the mask for the access control entry. Destination IP address with the mask is required.
     srcSubnet string False Enter the destination IP address or network address and the mask for the access control entry. Source IP address with the mask is required.
     host string False This setting applies to Network Layer 7 access control entries only. Specify a host name, You can use wildcard characters. To represent one or more characters, use an asterisk (*). To represent a single character, use a question mark (?).
     log string False Log options are None(Log Nothing) or Packet(Log the matched packet) when actions occur.
     paths string False This setting applies to network Layer 7 access control entries only. For Paths type one or more URIs separated by spaces. You can use wildcard characters as specified for Host Name.
     protocol number False This setting applies to Layer 4 access control entries only. Specify the Protocol like TCP, UDP, ICMP or all protocols to which the access control entry applies.
     scheme string False This setting applies to Layer 7 access control entries only. Enter URI scheme http, https, or any on which the access control entry operates.
pathMatchCase string False To consider alphabetic case when matching paths in an access control entry, in the Configuration area for Match Case For Paths, set ‘true’/’false’
type string False Specifies Static or Dynamic to create a static or dynamic access control list.
name string False The name of the object
partition string False The BIG-IP partition where the object should be placed
subPath string False The BIG-IP folder where the object should be placed
id string False An ID of an application
lsoDeviceReference reference True Reference to the device
     id string False Id of the device.
     name string False Device name. Typically it is device’s hostname.
     kind string False Kind of the device.
     machineId string True Machine ID of the device.
     link string False URI link of the reference.
isLsoShared boolean False Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations.
deviceGroupReference reference False Reference to the device group.
     name string False Name of the resource
     kind string False The kind of the resource.
     link string False URI link of the reference.
description string False The description of an Application.
kind string False The kind of an application.
selfLink string False The selfLink of an application.

Query Parameters

None

Response

HTTP/1.1 200 OK

Name Type Description
aclOrder number Specify the order of this ACL relative to others.
entries array_of_objects Specify the properties of an access control entry. Layer 4 access control entries operate on the protocol layer only. For layer 4, you can configure only the protocols and addresses on which to act. Layer 7 access control entries work on the application layer.For layer 7, you can configure hosts and paths and select a URI scheme. For HTTPS connections, the system applies Layer 7 ACL entries only if the virtual server has the private key of the backend server.
     action string For Action select the action for the ACL to take when this access control entry is encountered. Allow - Allow the traffic. Continue - Skip checking the remaining entries in this ACL and continue evaluation at the next ACL. Discard - Drop the packet silently. Reject - Drop the packet and send TCP RST (on TCP flows), or proper ICMP messages (on UDP flows), or, on other protocols, silently drop the packet.Note: For HTTP traffic only, no TCP RST message is sent; instead, an ACL deny page displays.
     srcStartPort number Specify a port or range of ports. Source start port is required.
     srcEndPort number Specify a port or range of ports.
     dstStartPort number Specify a port or range of ports. Destination start port is required.
     dstEndPort number Specify a port or range of ports.
     dstSubnet string Enter the source IP address or network access and the mask for the access control entry. Destination IP address with the mask is required.
     srcSubnet string Enter the destination IP address or network address and the mask for the access control entry. Source IP address with the mask is required.
     host string This setting applies to Network Layer 7 access control entries only. Specify a host name, You can use wildcard characters. To represent one or more characters, use an asterisk (*). To represent a single character, use a question mark (?).
     log string Log options are None(Log Nothing) or Packet(Log the matched packet) when actions occur.
     paths string This setting applies to network Layer 7 access control entries only. For Paths type one or more URIs separated by spaces. You can use wildcard characters as specified for Host Name.
     protocol number This setting applies to Layer 4 access control entries only. Specify the Protocol like TCP, UDP, ICMP or all protocols to which the access control entry applies.
     scheme string This setting applies to Layer 7 access control entries only. Enter URI scheme http, https, or any on which the access control entry operates.
pathMatchCase string To consider alphabetic case when matching paths in an access control entry, in the Configuration area for Match Case For Paths, set ‘true’/’false’
type string Specifies Static or Dynamic to create a static or dynamic access control list.
name string The name of the object
partition string The BIG-IP partition where the object should be placed
subPath string The BIG-IP folder where the object should be placed
id string An ID of an application
lsoDeviceReference reference Reference to the device
     id string Id of the device.
     name string Device name. Typically it is device’s hostname.
     kind string Kind of the device.
     machineId string Machine ID of the device.
     link string URI link of the reference.
isLsoShared boolean Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations.
deviceGroupReference reference Reference to the device group.
     name string Name of the resource
     kind string The kind of the resource.
     link string URI link of the reference.
description string The description of an Application.
kind string The kind of an application.
selfLink string The selfLink of an application.

Error Response

HTTP/1.1 400 Bad Request

This response status is related to error conditions. A detailed error message displays in the response.

HTTP/1.1 401 Unauthorized

This response happens when access is denied due to invalid credentials(no Permission).

Permissions

Role Allow
Application_Editor No
Service_Catalog_Viewer No
Service_Catalog_Editor No
Trust_Discovery_Import No
Access_View No
Access_Edit Yes
Access_Manager Yes
Application_Manager No
Application_Viewer No
Trust_Discovery_Import No
Access_Deploy No
Access_Policy_Editor No

PATCH /mgmt/cm/access/working-config/apm/acl/<id>

Request Parameters

Name Type Required Description
aclOrder number False Specify the order of this ACL relative to others.
entries array_of_objects False Specify the properties of an access control entry. Layer 4 access control entries operate on the protocol layer only. For layer 4, you can configure only the protocols and addresses on which to act. Layer 7 access control entries work on the application layer.For layer 7, you can configure hosts and paths and select a URI scheme. For HTTPS connections, the system applies Layer 7 ACL entries only if the virtual server has the private key of the backend server.
     action string False For Action select the action for the ACL to take when this access control entry is encountered. Allow - Allow the traffic. Continue - Skip checking the remaining entries in this ACL and continue evaluation at the next ACL. Discard - Drop the packet silently. Reject - Drop the packet and send TCP RST (on TCP flows), or proper ICMP messages (on UDP flows), or, on other protocols, silently drop the packet.Note: For HTTP traffic only, no TCP RST message is sent; instead, an ACL deny page displays.
     srcStartPort number False Specify a port or range of ports. Source start port is required.
     srcEndPort number False Specify a port or range of ports.
     dstStartPort number False Specify a port or range of ports. Destination start port is required.
     dstEndPort number False Specify a port or range of ports.
     dstSubnet string False Enter the source IP address or network access and the mask for the access control entry. Destination IP address with the mask is required.
     srcSubnet string False Enter the destination IP address or network address and the mask for the access control entry. Source IP address with the mask is required.
     host string False This setting applies to Network Layer 7 access control entries only. Specify a host name, You can use wildcard characters. To represent one or more characters, use an asterisk (*). To represent a single character, use a question mark (?).
     log string False Log options are None(Log Nothing) or Packet(Log the matched packet) when actions occur.
     paths string False This setting applies to network Layer 7 access control entries only. For Paths type one or more URIs separated by spaces. You can use wildcard characters as specified for Host Name.
     protocol number False This setting applies to Layer 4 access control entries only. Specify the Protocol like TCP, UDP, ICMP or all protocols to which the access control entry applies.
     scheme string False This setting applies to Layer 7 access control entries only. Enter URI scheme http, https, or any on which the access control entry operates.
pathMatchCase string False To consider alphabetic case when matching paths in an access control entry, in the Configuration area for Match Case For Paths, set ‘true’/’false’
type string False Specifies Static or Dynamic to create a static or dynamic access control list.
isLsoShared boolean False Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations.
description string False The description of an Application.

Query Parameters

None

Response

HTTP/1.1 200 OK

Name Type Description
aclOrder number Specify the order of this ACL relative to others.
entries array_of_objects Specify the properties of an access control entry. Layer 4 access control entries operate on the protocol layer only. For layer 4, you can configure only the protocols and addresses on which to act. Layer 7 access control entries work on the application layer.For layer 7, you can configure hosts and paths and select a URI scheme. For HTTPS connections, the system applies Layer 7 ACL entries only if the virtual server has the private key of the backend server.
     action string For Action select the action for the ACL to take when this access control entry is encountered. Allow - Allow the traffic. Continue - Skip checking the remaining entries in this ACL and continue evaluation at the next ACL. Discard - Drop the packet silently. Reject - Drop the packet and send TCP RST (on TCP flows), or proper ICMP messages (on UDP flows), or, on other protocols, silently drop the packet.Note: For HTTP traffic only, no TCP RST message is sent; instead, an ACL deny page displays.
     srcStartPort number Specify a port or range of ports. Source start port is required.
     srcEndPort number Specify a port or range of ports.
     dstStartPort number Specify a port or range of ports. Destination start port is required.
     dstEndPort number Specify a port or range of ports.
     dstSubnet string Enter the source IP address or network access and the mask for the access control entry. Destination IP address with the mask is required.
     srcSubnet string Enter the destination IP address or network address and the mask for the access control entry. Source IP address with the mask is required.
     host string This setting applies to Network Layer 7 access control entries only. Specify a host name, You can use wildcard characters. To represent one or more characters, use an asterisk (*). To represent a single character, use a question mark (?).
     log string Log options are None(Log Nothing) or Packet(Log the matched packet) when actions occur.
     paths string This setting applies to network Layer 7 access control entries only. For Paths type one or more URIs separated by spaces. You can use wildcard characters as specified for Host Name.
     protocol number This setting applies to Layer 4 access control entries only. Specify the Protocol like TCP, UDP, ICMP or all protocols to which the access control entry applies.
     scheme string This setting applies to Layer 7 access control entries only. Enter URI scheme http, https, or any on which the access control entry operates.
pathMatchCase string To consider alphabetic case when matching paths in an access control entry, in the Configuration area for Match Case For Paths, set ‘true’/’false’
type string Specifies Static or Dynamic to create a static or dynamic access control list.
name string The name of the object
partition string The BIG-IP partition where the object should be placed
subPath string The BIG-IP folder where the object should be placed
id string An ID of an application
lsoDeviceReference reference Reference to the device
     id string Id of the device.
     name string Device name. Typically it is device’s hostname.
     kind string Kind of the device.
     machineId string Machine ID of the device.
     link string URI link of the reference.
isLsoShared boolean Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations.
deviceGroupReference reference Reference to the device group.
     name string Name of the resource
     kind string The kind of the resource.
     link string URI link of the reference.
description string The description of an Application.
kind string The kind of an application.
selfLink string The selfLink of an application.

Error Response

HTTP/1.1 400 Bad Request

This response status is related to error conditions. A detailed error message displays in the response.

HTTP/1.1 401 Unauthorized

This response happens when access is denied due to invalid credentials(no Permission).

Permissions

Role Allow
Application_Editor No
Service_Catalog_Viewer No
Service_Catalog_Editor No
Trust_Discovery_Import No
Access_View No
Access_Edit Yes
Access_Manager Yes
Application_Manager No
Application_Viewer No
Trust_Discovery_Import No
Access_Deploy No
Access_Policy_Editor No

DELETE /mgmt/cm/access/working-config/apm/acl/<id>

Request Parameters

None

Query Parameters

None

Response

HTTP/1.1 200 OK

Name Type Description
aclOrder number Specify the order of this ACL relative to others.
entries array_of_objects Specify the properties of an access control entry. Layer 4 access control entries operate on the protocol layer only. For layer 4, you can configure only the protocols and addresses on which to act. Layer 7 access control entries work on the application layer.For layer 7, you can configure hosts and paths and select a URI scheme. For HTTPS connections, the system applies Layer 7 ACL entries only if the virtual server has the private key of the backend server.
     action string For Action select the action for the ACL to take when this access control entry is encountered. Allow - Allow the traffic. Continue - Skip checking the remaining entries in this ACL and continue evaluation at the next ACL. Discard - Drop the packet silently. Reject - Drop the packet and send TCP RST (on TCP flows), or proper ICMP messages (on UDP flows), or, on other protocols, silently drop the packet.Note: For HTTP traffic only, no TCP RST message is sent; instead, an ACL deny page displays.
     srcStartPort number Specify a port or range of ports. Source start port is required.
     srcEndPort number Specify a port or range of ports.
     dstStartPort number Specify a port or range of ports. Destination start port is required.
     dstEndPort number Specify a port or range of ports.
     dstSubnet string Enter the source IP address or network access and the mask for the access control entry. Destination IP address with the mask is required.
     srcSubnet string Enter the destination IP address or network address and the mask for the access control entry. Source IP address with the mask is required.
     host string This setting applies to Network Layer 7 access control entries only. Specify a host name, You can use wildcard characters. To represent one or more characters, use an asterisk (*). To represent a single character, use a question mark (?).
     log string Log options are None(Log Nothing) or Packet(Log the matched packet) when actions occur.
     paths string This setting applies to network Layer 7 access control entries only. For Paths type one or more URIs separated by spaces. You can use wildcard characters as specified for Host Name.
     protocol number This setting applies to Layer 4 access control entries only. Specify the Protocol like TCP, UDP, ICMP or all protocols to which the access control entry applies.
     scheme string This setting applies to Layer 7 access control entries only. Enter URI scheme http, https, or any on which the access control entry operates.
pathMatchCase string To consider alphabetic case when matching paths in an access control entry, in the Configuration area for Match Case For Paths, set ‘true’/’false’
type string Specifies Static or Dynamic to create a static or dynamic access control list.
name string The name of the object
partition string The BIG-IP partition where the object should be placed
subPath string The BIG-IP folder where the object should be placed
id string An ID of an application
lsoDeviceReference reference Reference to the device
     id string Id of the device.
     name string Device name. Typically it is device’s hostname.
     kind string Kind of the device.
     machineId string Machine ID of the device.
     link string URI link of the reference.
isLsoShared boolean Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations.
deviceGroupReference reference Reference to the device group.
     name string Name of the resource
     kind string The kind of the resource.
     link string URI link of the reference.
description string The description of an Application.
kind string The kind of an application.
selfLink string The selfLink of an application.

Error Response

HTTP/1.1 400 Bad Request

This response status is related to error conditions. A detailed error message displays in the response.

HTTP/1.1 401 Unauthorized

This response happens when access is denied due to invalid credentials(no Permission).

Permissions

Role Allow
Application_Editor No
Service_Catalog_Viewer No
Service_Catalog_Editor No
Trust_Discovery_Import No
Access_View No
Access_Edit Yes
Access_Manager Yes
Application_Manager No
Application_Viewer No
Trust_Discovery_Import No
Access_Deploy No
Access_Policy_Editor No

Examples

Get User Defined ACL

GET /mgmt/cm/access/working-config/apm/acl/<id>

Response

HTTP/1.1 200 OK
{
    "aclOrder": 1,
    "entries": [{
        "action": "admin",
        "srcStartPort": 0,
        "srcEndPort": 0,
        "dstStartPort": 0,
        "dstEndPort": 0,
        "dstSubnet": "0.0.0.0/0",
        "srcSubnet": "0.0.0.0/0",
        "host": "admin",
        "log": "none",
        "paths": "*",
        "protocol": 0,
        "scheme": "any"
    }],
    "pathMatchCase": "true",
    "type": "static",
    "name": "foo",
    "partition": "Common",
    "subPath": "/folder",
    "id": "8f1fcb69-1f3c-3c0d-812e-af4fdde0ac11",
    "lsoDeviceReference": {
        "id": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
        "name": "bigip.foo.com",
        "kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
        "machineId": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
        "link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
    },
    "isLsoShared": false,
    "deviceGroupReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
    },
    "description": "Application configuration details.",
    "kind": "cm:access:working-config:apm:aaa:state",
         "selfLink": "https://localhost/mgmt/cm/access/working-config/apm/f0938680-57d5-377f-8c73-da4c2ce561ed"
}

Create New User Defined ACL

POST /mgmt/cm/access/working-config/apm/acl
{
    "aclOrder": 1,
    "entries": [{
        "action": "admin",
        "srcStartPort": 0,
        "srcEndPort": 0,
        "dstStartPort": 0,
        "dstEndPort": 0,
        "dstSubnet": "0.0.0.0/0",
        "srcSubnet": "0.0.0.0/0",
        "host": "admin",
        "log": "none",
        "paths": "*",
        "protocol": 0,
        "scheme": "any"
    }],
    "pathMatchCase": "true",
    "type": "static",
    "name": "foo",
    "partition": "Common",
    "subPath": "/folder",
    "lsoDeviceReference": {
        "id": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
        "link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
    },
    "isLsoShared": false,
    "deviceGroupReference": {
        "link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
    },
    "description": "Application configuration details.",
}

Response

HTTP/1.1 200 OK
{
    "aclOrder": 1,
    "entries": [{
        "action": "admin",
        "srcStartPort": 0,
        "srcEndPort": 0,
        "dstStartPort": 0,
        "dstEndPort": 0,
        "dstSubnet": "0.0.0.0/0",
        "srcSubnet": "0.0.0.0/0",
        "host": "admin",
        "log": "none",
        "paths": "*",
        "protocol": 0,
        "scheme": "any"
    }],
    "pathMatchCase": "true",
    "type": "static",
    "name": "foo",
    "partition": "Common",
    "subPath": "/folder",
    "id": "8f1fcb69-1f3c-3c0d-812e-af4fdde0ac11",
    "lsoDeviceReference": {
        "id": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
        "name": "bigip.foo.com",
        "kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
        "machineId": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
        "link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
    },
    "isLsoShared": false,
    "deviceGroupReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
    },
    "description": "Application configuration details.",
    "kind": "cm:access:working-config:apm:aaa:state",
         "selfLink": "https://localhost/mgmt/cm/access/working-config/apm/f0938680-57d5-377f-8c73-da4c2ce561ed"
}

Edit User Defined ACL

PUT /mgmt/cm/access/working-config/apm/acl/<id>
{
    "aclOrder": 1,
    "entries": [{
        "action": "admin",
        "srcStartPort": 0,
        "srcEndPort": 0,
        "dstStartPort": 0,
        "dstEndPort": 0,
        "dstSubnet": "0.0.0.0/0",
        "srcSubnet": "0.0.0.0/0",
        "host": "admin",
        "log": "none",
        "paths": "*",
        "protocol": 0,
        "scheme": "any"
    }],
    "pathMatchCase": "true",
    "type": "static",
    "name": "foo",
    "partition": "Common",
    "subPath": "/folder",
    "id": "8f1fcb69-1f3c-3c0d-812e-af4fdde0ac11",
    "lsoDeviceReference": {
        "id": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
        "name": "bigip.foo.com",
        "kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
        "machineId": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
        "link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
    },
    "isLsoShared": false,
    "deviceGroupReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
    },
    "description": "Application configuration details.",
    "kind": "cm:access:working-config:apm:aaa:state",
         "selfLink": "https://localhost/mgmt/cm/access/working-config/apm/f0938680-57d5-377f-8c73-da4c2ce561ed"
}

Response

HTTP/1.1 200 OK
{
    "aclOrder": 1,
    "entries": [{
        "action": "admin",
        "srcStartPort": 0,
        "srcEndPort": 0,
        "dstStartPort": 0,
        "dstEndPort": 0,
        "dstSubnet": "0.0.0.0/0",
        "srcSubnet": "0.0.0.0/0",
        "host": "admin",
        "log": "none",
        "paths": "*",
        "protocol": 0,
        "scheme": "any"
    }],
    "pathMatchCase": "true",
    "type": "static",
    "name": "foo",
    "partition": "Common",
    "subPath": "/folder",
    "id": "8f1fcb69-1f3c-3c0d-812e-af4fdde0ac11",
    "lsoDeviceReference": {
        "id": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
        "name": "bigip.foo.com",
        "kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
        "machineId": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
        "link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
    },
    "isLsoShared": false,
    "deviceGroupReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
    },
    "description": "Application configuration details.",
    "kind": "cm:access:working-config:apm:aaa:state",
         "selfLink": "https://localhost/mgmt/cm/access/working-config/apm/f0938680-57d5-377f-8c73-da4c2ce561ed"
}

Edit User Defined ACL

PATCH /mgmt/cm/access/working-config/apm/acl/<id>
{
    "aclOrder": 1,
    "entries": [{
        "action": "admin",
        "srcStartPort": 0,
        "srcEndPort": 0,
        "dstStartPort": 0,
        "dstEndPort": 0,
        "dstSubnet": "0.0.0.0/0",
        "srcSubnet": "0.0.0.0/0",
        "host": "admin",
        "log": "none",
        "paths": "*",
        "protocol": 0,
        "scheme": "any"
    }],
    "pathMatchCase": "true",
    "type": "static",
    "isLsoShared": false,
    "description": "Application configuration details.",
}

Response

HTTP/1.1 200 OK
{
    "aclOrder": 1,
    "entries": [{
        "action": "admin",
        "srcStartPort": 0,
        "srcEndPort": 0,
        "dstStartPort": 0,
        "dstEndPort": 0,
        "dstSubnet": "0.0.0.0/0",
        "srcSubnet": "0.0.0.0/0",
        "host": "admin",
        "log": "none",
        "paths": "*",
        "protocol": 0,
        "scheme": "any"
    }],
    "pathMatchCase": "true",
    "type": "static",
    "name": "foo",
    "partition": "Common",
    "subPath": "/folder",
    "id": "8f1fcb69-1f3c-3c0d-812e-af4fdde0ac11",
    "lsoDeviceReference": {
        "id": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
        "name": "bigip.foo.com",
        "kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
        "machineId": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
        "link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
    },
    "isLsoShared": false,
    "deviceGroupReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
    },
    "description": "Application configuration details.",
    "kind": "cm:access:working-config:apm:aaa:state",
         "selfLink": "https://localhost/mgmt/cm/access/working-config/apm/f0938680-57d5-377f-8c73-da4c2ce561ed"
}

Delete User Defined ACL

DELETE /mgmt/cm/access/working-config/apm/acl/<id>

Response

HTTP/1.1 200 OK
{
    "aclOrder": 1,
    "entries": [{
        "action": "admin",
        "srcStartPort": 0,
        "srcEndPort": 0,
        "dstStartPort": 0,
        "dstEndPort": 0,
        "dstSubnet": "0.0.0.0/0",
        "srcSubnet": "0.0.0.0/0",
        "host": "admin",
        "log": "none",
        "paths": "*",
        "protocol": 0,
        "scheme": "any"
    }],
    "pathMatchCase": "true",
    "type": "static",
    "name": "foo",
    "partition": "Common",
    "subPath": "/folder",
    "id": "8f1fcb69-1f3c-3c0d-812e-af4fdde0ac11",
    "lsoDeviceReference": {
        "id": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
        "name": "bigip.foo.com",
        "kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
        "machineId": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
        "link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
    },
    "isLsoShared": false,
    "deviceGroupReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
    },
    "description": "Application configuration details.",
    "kind": "cm:access:working-config:apm:aaa:state",
         "selfLink": "https://localhost/mgmt/cm/access/working-config/apm/f0938680-57d5-377f-8c73-da4c2ce561ed"
}