Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology

rest calls not allowed by other-than-admin

With Firefox, I can successfully pull virtual information (user = admin):


However, with a user that is assigned the role 'Resource Administrator' it is denied.

Also, when I look at the user in the GUI, there are never any Failed Logins recorded.

I have written many c# programs for users with less-than-admin roles, with no problems.

What am I missing?

Rate this Question

Answers to this Question


It is possible to use a non administrator user to access iControl REST. It does require a bit of setting up to get it working.

K84925527: Overview of iControl permissions

First you must create your user,
Here I create the guest user as 'notadmin' with password 'notadminpw'

(tmos)# create auth user notadmin partition-access add { all-partitions { role guest } } shell tmsh password notadminpw

Next you must find the selflink value for the user you have created (assuming your admin ID is 'admin' and password is 'secret'.)

curl -s -k -u admin:secret https://localhost/mgmt/shared/authz/users | jq .

you will see the output which will appear similar to this below..

  "items": [
      "name": "notadmin",
      "displayName": "notadmin",
      "encryptedPassword": "$6$Randomized_Characters_Of_Password",
      "generation": 1,
      "lastUpdateMicros": 1519056227960605,
      "kind": "shared:authz:users:usersworkerstate",
      "selfLink": "https://localhost/mgmt/shared/authz/users/notadmin"
  "generation": 11,
  "kind": "shared:authz:users:userscollectionstate",
  "lastUpdateMicros": 1519056227962971,
  "selfLink": "https://localhost/mgmt/shared/authz/users"

Locate the value for 'selfLink' for the user notadmin, here is is shown as


The next command will alter that userID so that it can be used for iControl REST, ensure that you set the 'link' value to be the same as the 'selfLink' value extracted in the step above.

# curl -s -k -u admin:secret --request PATCH --data '{"userReferences":[{"link":"https://localhost/mgmt/shared/authz/users/notadmin"}]}' https://localhost/mgmt/shared/authz/roles/iControl_REST_API_User | jq .

This will produce a lot of output.

After this command you can then issue iControl REST command using your non-admin user id 'notadmin'

# curl -s -k -u notadmin:notadminpw https://localhost/mgmt/tm/ltm/virtual | jq .

I hope this is helpful - obviously you want to create a user with Resource Administrator role.

Comments on this Answer
Comment made 11-Jun-2018 by Shann_P 358

If you are running an Active/Standby pair, will this need to be done on both boxes manually or will it recognize the config change and require you to sync?

Comment made 14-Jun-2018 by OTS02 596

Thank you S Blakely. I performed this on an LTM, and I believe it worked. I tried it on a GTM, and got '-bash: jq: command not found'.

Comment made 14-Jun-2018 by OTS02 596

Thank you Shann_P. We are HA, so I will need to perform this on all appliances.

Comment made 14-Jun-2018 by S Blakely

I tried it on a GTM, and got '-bash: jq: command not found'.

What version of BigIP is your GTM?

Comment made 14-Jun-2018 by OTS02 596

BIG-IP 11.6.1 Build 2.0.338 Hotfix HF2

Comment made 14-Jun-2018 by S Blakely

Yeah, jq isn't available there. You can do it without jq, but the output is messier and harder to read.

Comment made 14-Jun-2018 by S Blakely

And you do need to link the REST role to the used on each member of the HA pair - the user will sync across, but not the REST roles.

Comment made 17-Jun-2018 by tatmotiv 1021

You can use | python -mjson.tool instead of | jq in order to get the json output into more human-readable form.

Comment made 18-Jun-2018 by S Blakely


That still does not work on 11.6.x or earlier

Comment made 19-Jun-2018 by Thiyagu 185

Hello All, I'm also facing the same issue and this solution is working when I don't have any special characters in the password string.

Could you please help me to know how to fix the issue if there are special characters in the password string.

Regards, Thiyagu

Comment made 19-Jun-2018 by S Blakely

What special characters are you using?

Comment made 20-Jun-2018 by Kevin Davies 3014

After playing with this I am getting the impression you can define your own custom roles and add a set of permissions such as GET /mgmt/tm/ltm/virtual/* Is that correct?

Comment made 21-Jun-2018 by Thiyagu 185

Hi' I tested with the character ">"

Could you please check once by using this character?

Regards, Thiyagu

Comment made 21-Jun-2018 by S Blakely

That > is a special character in bash - you probably need to escape it with "\" on the command line:


However, be very careful about using special characters - I'd go with longer passwords using only alphanumerics to avoid the risk of an incompatibility