Roles

Published April 5, 2023 | Last modified July 8, 2025

Overview

This guide provides an overview of Role-based Access Control (RBAC) for F5 Distributed Cloud Services and includes instructions for managing roles. RBAC helps define and enforce user permissions within the platform.

Refer to the Role-based Access Control Concepts section for a comprehensive understanding of RBAC terms and concepts.

Prerequisites

A valid F5 Console Account is required. If you do not have an account, see Getting Started with Console.

View Roles, Groups and API Groups

You can view predefined roles policy rules, groups and various API groups information in the F5® Distributed Cloud Console.

Step 1: Log into F5 Distributed Cloud Console, view in-built roles policies.
  • Open F5 Distributed Cloud Console homepage, select Administration box.
Figure: Homepage

Figure: Homepage

  • Select IAM in left column menu > select Roles.

  • Select > for any policy from the displayed list to view the policy information in JSON format.

Figure: Open Roles

Figure: Open Roles

Figure: In-built RBAC Policy Rules

Figure: In-built RBAC Policy Rules

Note: The api_groups field in the displayed information shows the API groups associated with the rule.

Step 2: View API Groups.

  • Select ... (ellipsis) icon, or the linked number under API Groups column to view or edit.

  • Select > for any group from the displayed list to view the group information in JSON format.

Figure: API Group Information

Figure: API Group Information

Note: The elements field in the displayed information shows the APIs associated with the group.

Step 3: View APIs Associated with API Group.

  • Select ... (ellipsis) icon in Actions column.

  • Select Edit.

Figure: API Group List

Figure: API Group List

  • Select Elements column linked number to view APIs in another window.
Figure: API Group List

Figure: API Group List

  • Review API Elements in this window for Path Ranges.
Figure: API Group Elements

Figure: API Group Elements

Note: Roles are assigned to namespace, Shared applies to all services except system and application. System and Application are restricted as they are management namespaces for development, SeCops, etc. and not everyone needs or is allowed to access these areas of the console.

Add Role

Follow these steps to add role and assign API groups to it:

Note: At least one API group must be assigned during role creation.

Step 1: Navigate to the Roles Configuration and Open Roles Creation Form.

  • On the F5 Distributed Cloud Console homepage, click the Administration box.

  • From the left menu, select IAM.

  • Select Roles > + Add Role.

Figure: Navigate to Roles

Figure: Navigate to Roles

Step 2: Select API Groups for the Role.

Role creation requires you to select API groups.

  • Enter Name in Role Name box in pop-up window.

Note: When naming your custom role, follow the RFC 1035 naming convention. You can use lowercase letters (a-z), numbers (0-9), and hyphens (-). The first two characters MUST be lowercase letters (a-z). Example: aa-role2-k8s.

  • Click + Allowed API Groups.

Note: Roles are assigned to namespaces. The "Shared" namespace applies to all services except system and application namespaces. "System" and "Application" namespaces are restricted, as they are used for management purposes (e.g., development, SeCops), and access to these areas is not required or permitted for everyone.

  • Select the Allowed API Groups by checking box.

Note: Adding objects to a namespace after role creation does not automatically grant role access, you must manually add it.

  • Click Save button to assign the selected API groups to the role.

Note: Select the value under the Elements column to view the list of APIs that are part of the associated group.

Step 3: Add Additional Allowed API Groups.

  • Select the Allowed API Groups by checking box.

  • Select Save button to create the role.

Note: Role cannot be created without selecting + Allowed API Groups.

Figure: API Group Selection

Figure: API Group Selection

Step 4: Add Additional Role Access.

Note: When you add objects to a namespace, role access is not granted automatically, you must assign it manually.

Editing a Role in Administration:

  • Go to IAM > Roles.

  • Select the Role you want to edit.

  • Click the ... (ellipsis) icon and choose the Edit option.

  • Click the + Allowed API Groups button.

  • Check boxes of Name, Namespace, and Elements rows that you want to grant access to for the role.

Note: Roles are assigned to namespaces. "Shared" applies to all services except for system and application namespaces. "System" and "Application" namespaces are restricted, as they are used for management purposes (e.g., development, SeCops), and not everyone requires or is allowed to access these areas of the console.

  • Click the > button to view more options on subsequent pages.

  • Click Save button to update the role access.

Figure: API Group Selection

Figure: API Group Selection

Create Tenant-Level Role Policies

F5 Distributed Cloud Services provides the ability to control Console access through Role policies. Tenants can raise service request, and provide list of RBAC policies to apply to platform access.

Role policy rules are the same as service policy rules. For example, tenant can request to enable a rule to allow or deny access based on parameters such as source IP address, ASN, country, etc. See Service Policy API for more information.

When this tenant-level role policy is enabled, it is prioritized over any user-defined and shared role policies.

See Raise Support Request for instructions on how to raise support requests.

Concepts

API References

On this page: