APM, Users, Remote Role Groups and Partitions

Question

Asking on behalf of a user having trouble posting...&nbsp;
Is there a way to grant an AD user in an AD group the rights to do APM-specific things like manage sessions, without giving full adminstrative access to everything else in the big-ip? I've already set up the application in its own partition, anticipating that this would allow me to grant user rights to it. I have a working group for view-only access and one with Operator access for bringing pool members down.&nbsp;
However, when when I try to set up a remote role group to have access to the partition I've created, one of two things happens. Either a role like "manager" doesn't have access to see things within APM, or I set them higher to something like "resource administrator" and even though the F5 lets me select the specific partition I want, when I click Update it reverts back to Partiton Access: All. There is no indication of an error, so I assume it's a limitation baked into the code somewhere.&nbsp;
Is there no way to make someone an admin (or at least be able to manage APM within a specific partition) without giving them full rights on the whole config?&nbsp;

arnaud_lemaire · Answer

I don't see any role dedicated to APM : http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-user-account-administration-11-6-0/3.html?sr=40594782&nbsp;
That could be a valid good RFE.&nbsp;

algebraic_mirror · Answer

Yes. Try putting them in the "operator" role. I just used that today and it seems like an almost perfect role for a help desk or similar person to use to manage APM. It allows you to go to go to the manage sessions are and view and delete sessions. It also allows you to view the "All Sessions" report, click on a session ID number and see all the log messages that were recorded during that session, which is really useful for troubleshooting. They can also view the visual policy editor in read only mode. Those three things are probably almost everything a Tier 1 type of user needs.&nbsp;
Things they can't do as an operator: it seems they can't view APM session variables in memory. Also, the policy is only read only, they can't change it (that's probably what you want though if they aren't a trained admin). I also don't think they can change underlying object configurations like AAA servers, though they should be able to read them. On the LTM side, the operator role also lets them do things like enable and disable nodes and pool members, though they can't really create, change, or delete objects.&nbsp;

Forum Discussion

APM, Users, Remote Role Groups and Partitions

2 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

User roles per partition: are multiple possible?

Remote User Authentication (e.g. F5 admins) using Azure Active Directory

DEVCENTRAL END-USER LICENSE AGREEMENT

Creating local users when using Remote Authentication and unavailable login

Collect all partition pool member stats with tmsh