Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology

rest calls not allowed by other-than-admin

With Firefox, I can successfully pull virtual information (user = admin):


However, with a user that is assigned the role 'Resource Administrator' it is denied.

Also, when I look at the user in the GUI, there are never any Failed Logins recorded.

I have written many c# programs for users with less-than-admin roles, with no problems.

What am I missing?

Rate this Question

Answers to this Question


It is possible to use a non administrator user to access iControl REST. It does require a bit of setting up to get it working.

K84925527: Overview of iControl permissions

First you must create your user,
Here I create the guest user as 'notadmin' with password 'notadminpw'

(tmos)# create auth user notadmin partition-access add { all-partitions { role guest } } shell tmsh password notadminpw

Next you must find the selflink value for the user you have created (assuming your admin ID is 'admin' and password is 'secret'.)

curl -s -k -u admin:secret https://localhost/mgmt/shared/authz/users | jq .

you will see the output which will appear similar to this below..

  "items": [
      "name": "notadmin",
      "displayName": "notadmin",
      "encryptedPassword": "$6$Randomized_Characters_Of_Password",
      "generation": 1,
      "lastUpdateMicros": 1519056227960605,
      "kind": "shared:authz:users:usersworkerstate",
      "selfLink": "https://localhost/mgmt/shared/authz/users/notadmin"
  "generation": 11,
  "kind": "shared:authz:users:userscollectionstate",
  "lastUpdateMicros": 1519056227962971,
  "selfLink": "https://localhost/mgmt/shared/authz/users"

Locate the value for 'selfLink' for the user notadmin, here is is shown as


The next command will alter that userID so that it can be used for iControl REST, ensure that you set the 'link' value to be the same as the 'selfLink' value extracted in the step above.

# curl -s -k -u admin:secret --request PATCH --data '{"userReferences":[{"link":"https://localhost/mgmt/shared/authz/users/notadmin"}]}' https://localhost/mgmt/shared/authz/roles/iControl_REST_API_User | jq .

This will produce a lot of output.

After this command you can then issue iControl REST command using your non-admin user id 'notadmin'

# curl -s -k -u notadmin:notadminpw https://localhost/mgmt/tm/ltm/virtual | jq .

I hope this is helpful - obviously you want to create a user with Resource Administrator role.

Comments on this Answer
Comment made 1 week ago by Shann_P 353

If you are running an Active/Standby pair, will this need to be done on both boxes manually or will it recognize the config change and require you to sync?

Comment made 4 days ago by OTS02 595

Thank you S Blakely. I performed this on an LTM, and I believe it worked. I tried it on a GTM, and got '-bash: jq: command not found'.

Comment made 4 days ago by OTS02 595

Thank you Shann_P. We are HA, so I will need to perform this on all appliances.

Comment made 4 days ago by S Blakely

I tried it on a GTM, and got '-bash: jq: command not found'.

What version of BigIP is your GTM?

Comment made 4 days ago by OTS02 595

BIG-IP 11.6.1 Build 2.0.338 Hotfix HF2

Comment made 4 days ago by S Blakely

Yeah, jq isn't available there. You can do it without jq, but the output is messier and harder to read.

Comment made 4 days ago by S Blakely

And you do need to link the REST role to the used on each member of the HA pair - the user will sync across, but not the REST roles.

Comment made 1 day ago by tatmotiv 947

You can use | python -mjson.tool instead of | jq in order to get the json output into more human-readable form.

Comment made 14 hours ago by S Blakely


That still does not work on 11.6.x or earlier