25 October 2012

F5 BIG-IP LTM User delegation Part II - Administrative Partitions

To be able to delegate control over certain portions of your BIG-IP LTM environment you need to create additional users and additional partitions.  Part I of this series covered how to configure your BIG-IP to query Active Directory.


The logical units into which you can break up the administrative boundaries are called administrative partitions.  By default everything will belong to the Common partition.  When assigning users you will be able to bind them to a partition.

Note: Every item that belongs to the Common will be visible to all users regardless of the user assigned partition.

Step 1 Plan Partitions

Partitions are very useful boundaries but they are not very flexible.  If an object is created in a partition it cannot be moved to another.  In the same way existing objects cannot be "added" to a new partition.
Non administrative users will also only be able to access a single partition.  If a user needs access to more than one partition he would have to be escalated to have access to all partitions.  Resources cannot generally be shared across partitions.  A resource can also not exist in to partitions at the same time.

Because of these limitations it pays to think things through and come up with a sustainable partition strategy.

Step 2 Create Partitions

You will notice that there really is not much to configuring a partition.

  • From the Main screen select System - Users - Partition List +
  • Specify a name 
  • Add a description 
  • Click finish

One thing to note is that when doing this you are in the Common partition .

Step 3 Create objects in the Partitions

The only way to get object in and out of partitions is to create them and and delete them while the partition is selected. As an administrator you would have access to all the partitions.

  • Once logged onto the BIG-IP select the relevant partition (top right)

  • Select Local Traffic
  • Nodes - Node List
  • Create a new node

If you look at the node list you should now see the new node has been assigned to the new partition
You also see node that belong to the common partition.
If you change the partition you have selected to All you will see all the objects.

  • Select the relevant partition
  • Select Local Traffic
  • Pools - Pool List
  • Create a new pool

When adding members from the node list you should again only see nodes form the common and specified partitions.

Now that you have a few partitions and a few objects in these you can start giving users access to these.

For Authorising users check out part III http://fixmyitsystem.com/2012/10/f5-big-ip-ltm-user-delegation-part-iii.html

For more reading on administrative partitions check the F5 Manual

No comments:

Post a Comment