Forum Discussion

VuongLe76_31178's avatar
VuongLe76_31178
Icon for Nimbostratus rankNimbostratus
May 09, 2017

Limited rights for user API

How I can limited rights with user that use for API ? I want user API can only access: / --> GET /* --> GET,PATCH //* --> GET, PATCH, DELETE. When I create new user via tmsh or GUI --> minimun rights is Guest (must add role: Admin, Guest, Firewall Manager,...) --> user can view config on GUI (I dont want it). Can I create user only access to /mgmt/*, not access to /tmui/ ? I have created new iREST_Policy but I dont know how to remote user out user-group Guest. Can I create new role that dont in any user-group ?

 

Thanks in advance !

 

2 Replies

  • I don't think that is possible, at least using F5 configuration.

     

    iControl REST is a layer on top of tmsh. You can't do that with tmsh, I assume is not possible with REST.

     

    You can play with the apache configuration, and limited that there. However, most likely F5 will not support you if have problems with that change.

     

  • Yes you can do it exclusively through the rest API. here is an example of icontrol role creation.

    POST https://192.168.142.17/mgmt/shared/authz/roles/
    {
    "name": "my_icontrol_group",
      "userReferences": [
        {
          "link": "https://localhost/mgmt/shared/authz/users/my_rest_user"
        }
      ],
      "resources": [
        {
          "resourceMask": "/mgmt/tm/ltm/pool/~Common~pool_turnkey/members",
          "restMethod": "GET"
        },
        {
          "resourceMask": "/mgmt/tm/ltm/pool/~Common~pool_turnkey/members/*",
          "restMethod": "PUT"
        },
        {
          "resourceMask": "/mgmt/tm/ltm/pool/~Common~pool_turnkey/members/*",
          "restMethod": "PATCH"
        }
      ]
    }
    
    • Where my_icontrol_group is the name of the role.
    • user references point to a group of users or here a single (or list of) user.
    • resources define which uri in the API are available with which method.