Nimbostratus
Is it possible to set operator permissions to the icontrol api user on the F5 bigip?
I just want that icontrol requests are able only to enable or disable pool members.
thanx for help
bb
Cirrostratus
iControl authentication and authorization is done based on the user account specified in the iControl calls. If you prevent someone from getting the admin credentials they wouldn't be able to use admin functionality via iControl. If you give someone the admin credentials they'd be able to make admin level changes via the GUI and/or iControl.
Aaron
Nimbostratus
Many thanx for your fast answer.
Okay so iControl uses normal system permission based concept.
thanx a lot
bb
Nimbostratus
I have a further question.
We plan to use icontrol interface to stear pool member inactivation/activation via Microsoft's WFF (Web Farm Framework). The iControl api runs for example on a web server with IIS installed.
How do I configure API access to a floating self-ip address?
As far as I see it's only possible to access the bigip via 443 on a dedicated self-ip but not on a floating one.
This means if someone wants to disable a pool member via icontrol he needs to know first, which bigip cluster member is the active one.
Does that mean that the api developer needs to ask first which LTM is the active one?
Many thanx for your help
bb
Cirrostratus
You can enable port 443 in port lockdown on a floating self IP address and access the GUI and iControl API on the active unit without knowing which unit is active.
Aaron
Nimbostratus
We configured user login via radius. Now, the problem is when I login with a radius user which has attributes set for a specific partition and operational permission then the user gets in via web interface correctly but via iControl the user stays in the common partition after sucessfull login.
Does iControl login ignore radius assigned attributes?
Kind regards
bb
-Joe
