Roles

Objective

This guide provides information on F5® Distributed Cloud Services Role-based Access Control (RBAC) and instructions on how to manage it. RBAC is used to define and enforce user capabilities while using the platform.

Roles and Privileges

A role is a collection of allowed API groups. One or more roles can be assigned to a user in a given namespace. The overall effect will be the sum total of all allowed API groups from each assigned role. In a tenant, there are three kinds of namespaces - system, shared, and application namespaces. Role assignments require explicit assignment of roles in the system and shared namespaces. For application namespaces, the user can choose to assign roles specifically to a namespace, for example, default namespace, or target assigning roles to all application namespaces by choosing the option All application namespaces when assigning via F5 Distributed Cloud Console or use * as namespace value in API request payload.

Every user has one or more roles assigned, and these roles are mapped to certain set of privileges. The privileges define what actions the user is allowed to perform. The privileges are identified by the API groups in F5® Distributed Cloud Console, and an API group defines which all actions (APIs) are allowed under it.

The RBAC consists of the following types of roles:

  1. Default Roles

The default roles are predefined in the system and cannot be changed or customized. You can use these roles in controlling the privileges or abilities of users. The following table lists out default roles and the associated privileges:

Note: The column name Category indicates API groups and rest of the column names are the default role names. Values presented in the columns are the allowed privileges.

CategoryDefault-roleAdminMonitorPower-DeveloperBillingUAM-admin
UAM-readAllowAllowAllow
UAM-writeAllowAllow
UAM-admin-readAllowAllow
UAM-admin-writeAllowAllow
infrastructure-readAllowAllowAllow
infrastructure-writeAllow
proxy-readAllowAllowAllow
general-readAllowAllowAllowAllow
Proxy-Monitor-readAllowAllow
Proxy-Monitor-writeAllow
Network-readAllowAllowAllow
Network-writeAllowAllow
Internal-readAllowAllow
Internal-writeAllow
Proxy-security-readAllowAllow
Proxy-security-writeAllowAllow
Infra-monitor-readAllowAllow
Infra-monitor-writeAllow
Labels-readAllowAllowAllow
Labels-writeAllowAllow
Secrets-readAllowAllowAllow
Secrets-writeAllowAllow
volt-share-readAllow
volt-share-writeAllow
Monitor-readAllowAllow
Monitor-writeAllowAllowAllow
IaaS/CaaS-readAllowAllowAllow
IaaS/CaaS-writeAllowAllow
Virtual_sites-readAllowAllowAllow
Virtual_sites-writeAllowAllow
Proxy-WAF-readAllowAllowAllow
Proxy-WAF-writeAllowAllow
Billing-readAllowAllowAllow
Billing-writeAllowAllow
Support-readAllow
Support-writeAllow
ves-io-k8s-readAllow
ves-io-k8s-writeAllow
ves-io-local-k8s-writeAllow
stored-object-readAllowAllow
stored-object-writeAllowAllow
web-accessAllowAllowAllowAllowAllowAllow

Note: Role is needed to enable the admin functions to add additional users.

(CRUD) Create, read, update, and delete.

(R)= Read access CRUD= Read and Write access in console for user.

This table classifies privileges in terms of the Create, Read, Update, and Delete (CRUD) operations. For example, entry Allow for the API groups ves-io-uam-read and ves-io-uam-write against the Admin role means that all CRUD operations are allowed on the API group for the admin role. Each role name in F5® Distributed Cloud Console is prefixed with ves-io string and suffixed with role string. For example, the default role is identified by the ves-io-default-role name.

Power-Developer, is developer plus monitor access combined.

Note: ves-io, is default, built in roles that come with tenant in tenants ready to use when user sets up console.

Custom Roles:

You can create roles and customize them by assigning one or more API groups. These roles can be assigned to users, and can also be updated or removed as needed.

Note: A user is required to have at least one of the ves-io-monitor-role, ves-io-power-developer-role, ves-io-admin-role roles for a namespace to appear in the namespace dropdown in the F5® Distributed Cloud Console.

Prerequisites

A valid Account is required.

View RBAC Policy Rules and API Groups

You can view the predefined RBAC policy rules, and the various API groups information in the F5® Distributed Cloud Console.

Features can be viewed, and managed in multiple services.

This example shows Roles setup in Administration.

Step 1: Log into F5 Distributed Cloud Console, view in-built policies.
  • Open F5 Distributed Cloud Console homepage, select Administration box.

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to discover all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

Figure: Homepage

Figure: Homepage

Note: Confirm Namespace feature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.

  • Select IAM in left column menu > select Roles.

  • Select > for any policy from the displayed list to view the policy information in JSON format.

Note: If options are not showing available, select Show link in Advanced nav options visible in bottom left corner. If needed, select Hide to minimize options from Advanced nav options mode.

Figure: Open Roles

Figure: Open Roles

Note: ves-io, is default, built in roles that come with tenant in tenants ready to use when user sets up console.

Figure: In-built RBAC Policy Rules

Figure: In-built RBAC Policy Rules

Note: The api_groups field in the displayed information shows the API groups associated with the rule.

Step 2: View API groups.
  • Select ..., or the linked number under API Groups column to view or edit.
Figure: API Group Information

Figure: API Group Information

Note: The elements field in the displayed information shows the APIs associated with the group.

Step 3: View the APIs associated with an API group.

Select linked number in Elements column against any API displayed in the list to view the APIs in another window.

Figure: API Group List

Figure: API Group List

Figure: API Group Elements

Figure: API Group Elements

Note: Roles are assigned to namespace, Shared applies to all services except system and application. System and application are restricted as they are management namespaces for development, SeCops, etc. and not everyone needs or is allowed to access these areas of the console.

Create a Role

Perform the following to create a role, and assign API groups to it:

Assigning one or more API groups is required in role creation.

Step 1: Navigate to role configuration, open role creation form.

  • Select Administration box in F5 Distributed Cloud Console homepage.

  • Select IAM in left column menu > select Roles > + Create role.

Figure: Navigate to Roles

Figure: Navigate to Roles

Step 2: Select API groups for the role.

Role creation requires you to select API groups.

  • Enter Name in Role box in pop-up window.

Note: Naming your custom role, use the RFC 1035 naming protocol, you can use a-z alphabetical characters, - , and 0-9 numerical characters. The first two characters MUST be lower-case a-z alphabetical characters. Example: aa-role2-k8s.

  • Select + Allowed API Groups.

Note: Roles are assigned to namespace, Shared applies to all services except system and application. System and application are restricted as they are management namespaces for development, SeCops, etc. and not everyone needs or is allowed to access these areas of the console.

  • Select Allowed API Groups by checking box.

Note: Anytime you add objects to a namespace after creating a role it doesn't automatically give role access, you have to add manually.

  • Select Save to add the API groups to the role.

This example creates a custom role infrawatcher with the ves-io-infra-monitor-read and ves-io-infra-monitor-write groups.

Figure: API Group Selection

Figure: API Group Selection

Note: Select the value under the Elements column to view the list of APIs that are part of the associated group.

Step 3: Assign additional roles.

Select Save to create the role.

Note: Role cannot be created without selecting + Allowed API Groups.

Figure: Role Configuration and Creation

Figure: Role Configuration and Creation

Step 4: Add additional role access.

Note: Anytime you add objects to a namespace it doesn't automatically give role access, you have to add manually.

  • In Administration > IAM > Roles.

  • Select Role you want to edit.

  • Select ... > select Edit pop-up window option.

  • Select + Allowed API Groups button.

  • Check boxes of Name, Namespace, and Elements rows you want to add access to the open role.

Note: Roles are assigned to namespace, Shared applies to all services except system and application. System and application are restricted as they are management namespaces for development, SeCops, etc. and not everyone needs or is allowed to access these areas of the console.

  • Select > to see more options on next pages.

  • Select Save button to update role access.

Create Tenant-Level RBAC Policies

F5 Distributed Cloud Services provides ability to control Console access through RBAC policies. Tenants can raise service request, and provide list of RBAC policies to apply to platform access.

RBAC policy rules are same as service policy rules. For example, tenant can request to enable a rule to allow or deny access based on parameters such as source IP address, ASN, country, etc. See Service Policy API for more information.

When this tenant-level RBAC policy is enabled, it is prioritized over any user-defined and shared RBAC policies.

See Raise Support Request for instructions on how to raise support requests.

Concepts

On this page: