I have a client that wants to co-manage the F5. Their intent is to be able to add/remove VIPS, Pools, Members Irules and monitors.
The question that I have is this, is there a way that this partition can be done to ensure that there is nothing that the client can do as a co-manager to the F5 that would affect the other clients on the device.
The client has suggested a container type access, but I think that if they were to create a script and or Irule that pointed to something outside their partition and it was wrong it would affect the whole network.
Need some advice,
Following are a few links about partitions on the bigip. Gives details about the object access across partitions.
I would avoid giving admin rights to people who do not really understand how these devices work. A rogue "para-admin" could do things that will ruin the performance of the whole box easily. Also there is no locking to prevent administrative tasks from being carried out simultaneously. And just think how you can manage backing up of the conf in such a situation and know what has changed?
Partitions are also a pain to deal with in general. If the client wants to manage the F5 get them a VE edition and give them access.