Privilege for operator on LTM

Unfortunately no... but what you can do is a bash script where it accesses the F5, list the VSs and iRules and give the option to the user to add, remove and so on... It could be a little bit tricky but it is a sollution.

As you know the operator roles change functionality limits with nodes and pool member objects alone. Inorder to touch the Irule and assigning it with a VS, one may require manager role or anything higher.

Thanks for your help. Will the bash script that runs on F5 has the user's effective user id ? Seems sudo is not available on LTM. Did I miss anything?

Thanks again. Best Rgds

I doubt that's possible... Operator role cannot have bash assigned. Bash is just for administrators. Operator can have tmsh alone.

Thanks for all your help.

How about creating a dummy (null) iRules and assigned the virtual server in advance. Then ask operator with iRule Manager role to update the iRule when necessary?

Thanks again. Best Rgds

I'm confused by your statement, an user can be assigned just one role as far as I understand. How can you assign an operator user whose having operator role to also have Irule Manager role ?

Maybe tacacs role groups can give 2 roles ??? I haven't tested it.

BTW why not give other roles (manager) role.

Sorry for causing the confusion. Right, we'll have to create another account with iRules Manager for our operators, who also owns account with operator role.

Yes that would work, but as you know, Irule manager can just create/modify/delete Irules, he cannot map it to VS. So that would mean you would be required to have some dummy Irules created already on the VS. But this is really going to be a concerning one if it goes in the production setups, because this maybe messing up a bigger Irule logic.

If your intention is to restrict users to one particular application alone, you can go with 3rd party vendor who manage F5 devices.