25 October 2012

F5 BIG-IP LTM User delegation Part III - Users and Roles

To be able to delegate control over certain portions of your BIG-IP LTM environment you need to create additional users and additional partitions.  Part I of this series covered how to configure your BIG-IP to query Active Directory.  Part II covered how to create additional administrative partitions and create object inside those.

Before proceeding with this article check out the preceding articles on the topic
http://fixmyitsystem.com/2012/10/f5-big-ip-ltm-user-delegation-part-i-ad.html
http://fixmyitsystem.com/2012/10/f5-big-ip-ltm-user-delegation-part-ii.html

BIG-IP has two kinds of user accounts. The admin accounts that was originally configured with the setup utility.  These accounts are root and admin.

The second type of accounts are "other accounts."  These are setup and configured in the GUI.  Other users can also be either local or remote.  We will cover using remote users from Active Directory.

Step 1 Identify which User Roles

There are various user roles and they have various different rights to perform specified functions.  The diffrerent user roles are as follows:

  • Administrator
  • Resource Administrator
  • User Manager
  • Manager
  • Certificate Manager
  • iRule Manager
  • Application Editor
  • Acceleration Policy Editor
  • Web Application Security Administrator
  • Web Application Security Editor
  • Operator
  • Auditor
  • Guest
  • No Access

In large deployments all of these can come in handy, but in smaller deployment you would probably only use a few of these such as Administrator, Application Editor and Operator.  Keeping a consistent  limited user role allocation across partitions will keep administration simple and straight forward.

A User account can therefore be assigned a user role but they are also assigned an administrative partition.  The combination of these provides a very granular level of access control.

For a a detailed list of the different user roles and what the permissions are check out http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-concepts-11-2-0/tmos_users.html#1006923

Step 2 Identify Active Directory Groups

When we assign a user account or group to a role and a partition there is a limitation.  A single active directory users can only be assigned one role and one partition.  If a users needs access to multiple partition you would have to grant him universal access (the All partitions)  the user role that the user is assigned would then apply to all the partitions. 

Using the line order field can assit with this but more on that later.

Step 3 LDAP strings

As in Part I of this series you will need to get the correct LDAP string for each active directory group you want to use.


  • Open ADSI edit
  • Connect to your domain
  • Browse the directory structure till you find the right group (or user)
  • Open the properites and find and copy the distinguishedName  field
  • Paste this into notepad
  • Prefix the string with memberOF= 


Your string you now look something like this:
memberOF=CN=WebOperators,OU=Security Groups,OU=EnterpriseConfiguration,DC=mycomapny,DC=co,DC=za


Step 4   Assign remote Role Groups

The following will work correctly if the User Authentication is set up as detailed in Part I 

Open the BIG-IP management GUI
Select System - Users - Remote Role Group
Click Create
Group name:  Specify a relevant name 
Line order:  1000
Attribute string: (Your LDAP string from notepad)
Remote Access: Enabled
Assigned Role: Pick relevant role
Partition Access: Pick relevant partition or "All"
Terminal Access: Disabled



Line order refers to the line in the local file being read by Active Directory, the recommendation is to start at line 1000 and use a new line for every group.  The lines are read one by one so if a user belongs to two groups that are listed the group that has a lower line value will be used.


Step 5 Testing

Using a user that you have configured as a non administrative account that belongs to a specified partition is the easiest way to test.


  • Open the BIG-IP GUI
  • Log in using the domain credentials (no need to specify the domain)
  • Once logged on there will be a few indicators showing the users access.



When looking at a list of nodes you will still see all the nodes form the common partition but not the ones form other partitions.  The operator will also only have read access to the common partition objects.



Conclusion
After following the series you should now have all the understanding and building blocks to effectively partition resources and allocate the correct users the correct level of access.

1 comment:

Anonymous said...

Part 1,2 & 3 are EXCELLENT explanation. Well done Etienne

Post a Comment