Roles
Objective
This guide provides information on F5® Distributed Cloud Services Role-based Access Control (RBAC) and instructions on how to manage it. RBAC is used to define and enforce user capabilities while using the platform.
Roles and Privileges
A role is a collection of allowed API groups. One or more roles can be assigned to a user in a given namespace. The overall effect will be the sum total of all allowed API groups from each assigned role. In a tenant, there are three kinds of namespaces - system, shared, and application namespaces. Role assignments require explicit assignment of roles in the system and shared namespaces. For application namespaces, the user can choose to assign roles specifically to a namespace, for example, default namespace, or target assigning roles to all application namespaces by choosing the option All application namespaces
when assigning via F5 Distributed Cloud Console or use *
as namespace value in API request payload.
Every user has one or more roles assigned, and these roles are mapped to certain set of privileges. The privileges define what actions the user is allowed to perform. The privileges are identified by the API groups in F5® Distributed Cloud Console, and an API group defines which all actions (APIs) are allowed under it.
The RBAC consists of the following types of roles:
- Default Roles
The default roles are predefined in the system and cannot be changed or customized. You can use these roles in controlling the privileges or abilities of users. The following table lists out default roles and the associated privileges:
Note: The column name
Category
indicates API groups and rest of the column names are the default role names. Values presented in the columns are the allowed privileges.
Category | Default-role | Admin | Monitor | Power-Developer | Billing | UAM-admin |
---|---|---|---|---|---|---|
UAM-read | Allow | Allow | Allow | |||
UAM-write | Allow | Allow | ||||
UAM-admin-read | Allow | Allow | ||||
UAM-admin-write | Allow | Allow | ||||
infrastructure-read | Allow | Allow | Allow | |||
infrastructure-write | Allow | |||||
proxy-read | Allow | Allow | Allow | |||
general-read | Allow | Allow | Allow | Allow | ||
Proxy-Monitor-read | Allow | Allow | ||||
Proxy-Monitor-write | Allow | |||||
Network-read | Allow | Allow | Allow | |||
Network-write | Allow | Allow | ||||
Internal-read | Allow | Allow | ||||
Internal-write | Allow | |||||
Proxy-security-read | Allow | Allow | ||||
Proxy-security-write | Allow | Allow | ||||
Infra-monitor-read | Allow | Allow | ||||
Infra-monitor-write | Allow | |||||
Labels-read | Allow | Allow | Allow | |||
Labels-write | Allow | Allow | ||||
Secrets-read | Allow | Allow | Allow | |||
Secrets-write | Allow | Allow | ||||
volt-share-read | Allow | |||||
volt-share-write | Allow | |||||
Monitor-read | Allow | Allow | ||||
Monitor-write | Allow | Allow | Allow | |||
IaaS/CaaS-read | Allow | Allow | Allow | |||
IaaS/CaaS-write | Allow | Allow | ||||
Virtual_sites-read | Allow | Allow | Allow | |||
Virtual_sites-write | Allow | Allow | ||||
Proxy-WAF-read | Allow | Allow | Allow | |||
Proxy-WAF-write | Allow | Allow | ||||
Billing-read | Allow | Allow | Allow | |||
Billing-write | Allow | Allow | ||||
Support-read | Allow | |||||
Support-write | Allow | |||||
ves-io-k8s-read | Allow | |||||
ves-io-k8s-write | Allow | |||||
ves-io-local-k8s-write | Allow | |||||
stored-object-read | Allow | Allow | ||||
stored-object-write | Allow | Allow | ||||
web-access | Allow | Allow | Allow | Allow | Allow | Allow |
Note: Role is needed to enable the admin functions to add additional users.
(CRUD) Create, read, update, and delete.
(R)= Read access CRUD= Read and Write access in console for user.
This table classifies privileges in terms of the Create, Read, Update, and Delete (CRUD) operations. For example, entry Allow
for the API groups ves-io-uam-read
and ves-io-uam-write
against the Admin
role means that all CRUD operations are allowed on the API group for the admin role. Each role name in F5® Distributed Cloud Console is prefixed with ves-io
string and suffixed with role
string. For example, the default role is identified by the ves-io-default-role
name.
Power-Developer, is developer plus monitor access combined.
Note: ves-io, is default, built in roles that come with tenant in tenants ready to use when user sets up console.
Custom Roles:
You can create roles and customize them by assigning one or more API groups. These roles can be assigned to users, and can also be updated or removed as needed.
Note: A user is required to have at least one of the
ves-io-monitor-role
,ves-io-power-developer-role
,ves-io-admin-role
roles for a namespace to appear in the namespace dropdown in the F5® Distributed Cloud Console.
Prerequisites
A valid Account is required.
- Note: If you do not have an account, visit Create an Account.
View RBAC Policy Rules and API Groups
You can view the predefined RBAC policy rules, and the various API groups information in the F5® Distributed Cloud Console.
Features can be viewed, and managed in multiple services.
This example shows Roles
setup in Administration
.
Step 1: Log into F5 Distributed Cloud Console, view in-built policies.
- Open
F5 Distributed Cloud Console
homepage, selectAdministration
box.
Note: Homepage is role based, and your homepage may look different due to your role customization. Select
All Services
drop-down menu to discover all options. Customize Settings:Administration
>Personal Management
>My Account
>Edit work domain & skills
button >Advanced
box > checkWork Domain
boxes >Save changes
button.
Figure: Homepage
Note: Confirm
Namespace
feature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.
-
Select
IAM
in left column menu > selectRoles
. -
Select
>
for any policy from the displayed list to view the policy information in JSON format.
Note: If options are not showing available, select
Show
link inAdvanced nav options visible
in bottom left corner. If needed, selectHide
to minimize options from Advanced nav options mode.
Figure: Open Roles
Note: ves-io, is default, built in roles that come with tenant in tenants ready to use when user sets up console.
Figure: In-built RBAC Policy Rules
Note: The
api_groups
field in the displayed information shows the API groups associated with the rule.
Step 2: View API groups.
- Select
...
, or the linked number underAPI Groups
column to view or edit.
Figure: API Group Information
Note: The
elements
field in the displayed information shows the APIs associated with the group.
Step 3: View the APIs associated with an API group.
Select linked number in Elements
column against any API displayed in the list to view the APIs in another window.
Figure: API Group List
Figure: API Group Elements
Note: Roles are assigned to namespace, Shared applies to all services except system and application. System and application are restricted as they are management namespaces for development, SeCops, etc. and not everyone needs or is allowed to access these areas of the console.
Create a Role
Perform the following to create a role, and assign API groups to it:
Assigning one or more API groups is required in role creation.
Step 1: Navigate to role configuration, open role creation form.
-
Select
Administration
box in F5 Distributed Cloud Console homepage. -
Select
IAM
in left column menu > selectRoles
>+ Create role
.
Figure: Navigate to Roles
Step 2: Select API groups for the role.
Role creation requires you to select API groups
.
- Enter
Name
inRole
box in pop-up window.
Note: Naming your custom role, use the
RFC 1035
naming protocol, you can use a-z alphabetical characters, - , and 0-9 numerical characters. The first two characters MUST be lower-case a-z alphabetical characters. Example: aa-role2-k8s.
- Select
+ Allowed API Groups
.
Note: Roles are assigned to namespace, Shared applies to all services except system and application. System and application are restricted as they are management namespaces for development, SeCops, etc. and not everyone needs or is allowed to access these areas of the console.
- Select
Allowed API Groups
by checking box.
Note: Anytime you add objects to a namespace after creating a role it doesn't automatically give role access, you have to add manually.
- Select
Save
to add the API groups to the role.
This example creates a custom role infrawatcher
with the ves-io-infra-monitor-read
and ves-io-infra-monitor-write
groups.
Figure: API Group Selection
Note: Select the value under the
Elements
column to view the list of APIs that are part of the associated group.
Step 3: Assign additional roles.
Select Save
to create the role.
Note: Role cannot be created without selecting
+ Allowed API Groups
.
Figure: Role Configuration and Creation
Step 4: Add additional role access.
Note: Anytime you add objects to a namespace it doesn't automatically give role access, you have to add manually.
-
In
Administration
>IAM
>Roles
. -
Select
Role
you want to edit. -
Select
...
> selectEdit
pop-up window option. -
Select
+ Allowed API Groups
button. -
Check boxes of
Name
,Namespace
, andElements
rows you want to add access to the open role.
Note: Roles are assigned to namespace, Shared applies to all services except system and application. System and application are restricted as they are management namespaces for development, SeCops, etc. and not everyone needs or is allowed to access these areas of the console.
-
Select
>
to see more options on next pages. -
Select
Save
button to update role access.
Create Tenant-Level RBAC Policies
F5 Distributed Cloud Services provides ability to control Console access through RBAC policies. Tenants can raise service request, and provide list of RBAC policies to apply to platform access.
RBAC policy rules are same as service policy rules. For example, tenant can request to enable a rule to allow or deny access based on parameters such as source IP address, ASN, country, etc. See Service Policy API for more information.
When this tenant-level RBAC policy is enabled, it is prioritized over any user-defined and shared RBAC policies.
See Raise Support Request for instructions on how to raise support requests.