Role based access of specific Unix like commands?

Does the 'User Roles' feature not suffice?

Hey,

Thanks for the reply. How can I achieve this requirement using User Role? If I am not wrong, I can only allocate Advance Shell or TMSH access to users, rather than command based control.

Kindly correct me if this is not right.

Cheers! Darshan

If you ensure you only allocate tmsh access and the most appropriate user role based on your requirements, perhaps this will suffice? There's no way to restrict accesss down to the command level really.

The ironic thing about this is that you could technically either create a non-admin user with rights to access the Linux shell, but no rights to access specific command line utilities, or mess with SELinux to restrict specific commands, except that the BIG-IP management plane wouldn't allow anyone less than an administrator to have Linux shell access. The better option, as Steve has stated, is to assign user roles and TMSH access. F5 has gone to great lengths to "wrap" useful shell commands into TMSH so that they can be used safely.

Suppose we assign user role and TMSH access, does it mean user would be able to run "!/bin/bash" command and then run the "cat" command? Would this be a read only access?

I believe an administrative user would be the only type that can access Bash from within TMSH. All other roles with TMSH access would get the limited set of TMSH "wrapped" Bash commands.

There's also Resource Administrator role which have access to advanced shell. Others roles can only run tmsh commands, so they can't run bash whatever the way they try.