Forum Discussion

daremigio_19877's avatar
daremigio_19877
Icon for Nimbostratus rankNimbostratus
Sep 07, 2015

Can i assign multiple Roles in a Remote Role Group when integrating Active Directory with BIG-IP?

Hi All,

 

I'm integrating the Active Directory with the BIG-IP system (11.6.0 HF5) in order to use it as a remote authentication to manage the BIG-IP box. However, our client has a requirement of assigning multiple roles for a single user. For example, the user jsmith should have the roles of a Certificate Manager, User Manager, And Auditor. Is it possible to assign multiple user roles for a single user/remote role group in BIG-IP?

 

Also, can BIG-IP local authentication co-exist with Active Directory authentication?

 

I hope someone can help me with this implementation. Thank you!

 

active directory
APM
application delivery
deployment
LTM
management
security

4 Replies

Sort By
  • Seth_Cooper's avatar
    Seth_Cooper
    Icon for Employee rankEmployee
    Sep 08, 2015

    Hi,

     

    You can only have one role for a user in the remote role groups. Your best bet is to give the user the role with that covers what abilities they need to perform without giving them extra. You could also create multiple accounts per user (eg. user1_cert, user1_user, user1_audit) and then they can login with the user they need to perform their duties.

     

    When you setup remote auth the only 2 users that will still auth locally are root (CLI) and admin (GUI). All other users will be sent to the remote auth for authentication.

     

    Seth

     

  • daremigio_19877's avatar
    daremigio_19877
    Icon for Nimbostratus rankNimbostratus
    Sep 09, 2015

    Hi Seth,

     

    Thank you for the information. However, our client's AD administrator doesn't allow multiple usernames for a single user and therefore the suggestion of creating multiple usernames for a single user is not possible. Also, the only user role that will be able to do user management, certificate management and audit at the same time is an Administrator role. But the Administrator Role can also create VS,Pool,VLANs,etc. and our client doesn't want that user (ex: jsmith) to also be able to create VS,Pool,VLANs,etc. -_-

     

    So i guess there is no other workaround for this kind of authentication requirements?

     

    • Seth_Cooper's avatar
      Seth_Cooper
      Icon for Employee rankEmployee
      Sep 09, 2015
      Your best bet is to open a case with support and ask to be attached to RFE ID 382849. This enhancement is to allow a more granular way to provision admin privileges. Currently the only workaround I know for this is to have multiple accounts for one user.
    • daremigio_19877's avatar
      daremigio_19877
      Icon for Nimbostratus rankNimbostratus
      Sep 10, 2015
      Thank you Seth. Just a follow-up question, you said that the only 2 user that can login locally are the root (CLI) and admin (GUI), does it include local users with an Administrator role?