Delegated Access

Objective
Delegated Access Overview
Prerequisites
Delegated Access
Concepts

Objective

This guide provides instructions on how to enable Delegated Access in F5 Distributed Cloud Console. To learn more about users, see Users.

Delegated Access provides the ability for one tenant to grant access and permissions to users from another tenant. Delegated Access can be leveraged to provide a third party with access to your tenant in order to manage your services and configurations.

A common scenario for Delegated Access is when a consultant, or system integrator is providing expertise, advice, and service management to a client. The consultant is responsible for ensuring that various services within F5 Console work seamlessly and efficiently. This often involves configuring and maintaining product configuration, as well as providing ongoing support and guidance to the client.

In this scenario, the consultant needs access to the client's tenant in order to monitor and edit service configuration. The client grants the consultant's users access to the client tenant, and the consultant's users access the client's tenant and assume the permissions granted by the client.

The instructions in this document will demonstrate how one tenant can grant access to a different tenant via Delegated Access in F5 Distributed Cloud Console.

Delegated Access Overview

Delegated Access is a feature of the F5 Distributed Cloud platform that allows you to grant access and permissions to users from another tenant. The initial release of this feature is being launched as a private preview. We are evaluating customer use cases individually and enabling Delegated Access on a case by case basis. Feel free to reach out to us at delegated-access@cloud.f5.com, and we will be in touch.

Delegated Access involves two tenants: Managed Tenant (MT), grants access, and Operating Tenant (OT), receives access.

Managed Tenant (MT): A tenant that receives access and is typically owned by a consultant or system integrator. This tenant is operated by the consultant or system integrator and receives access from Managed Tenant.

Note: The Managed Tenant is the tenant being managed, and owned by the end customer who is buying F5 services.

Operating Tenant (OT): A tenant that grants access and is being managed, typically owned by an end customer, where the customer's resources and applications reside. This tenant is owned by the end customer and is where the customer's resources and applications reside.

Note: Operating Tenant that is typically owned by a consultant or system integrator is granted access by the Managed Tenant, and the Operating Tenants users are able to perform actions within the Managed Tenant.

Allowed Tenant: An Operating Tenant that has been granted access to a Managed Tenant, and can perform actions within and by the Managed Tenant.

Access Mapping: Access Mapping is a feature in Delegated Access that allows for the assignment of permissions from a local group in the Operating Tenant to a remote group in the Managed Tenant. This grants Operating Tenant users access to the Managed Tenant and dictates the level of permissions they have within it. When an Operating Tenant user accesses the Managed Tenant, they assume the roles and permissions of the mapped group.

Prerequisites

F5 Distributed Cloud Account is required.

Note: In case you do not have an account, see Create an Account.

Delegated Access

Steps to enable Delegated Access:

The Operating Tenant and Managed Tenant configurations need to be completed in each tenant for Delegated Access functionality to operate properly. The Operating Tenant or Managed Tenant can start the process. In this document we will start with setting up the Operating Tenant first.

Step 1: Open F5® Distributed Cloud Console, enable Operating Tenant Delegated Access.

Enable Delegated Access for the Operating Tenant.

Open F5® Distributed Cloud Console > select Delegated Access box.

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to display all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

Email delegated-access@cloud.f5.com to request add-on service to be enabled.

Note: Delegated Access is an add-on service, and not enabled without email request.

DELGATEDACCESSLANDINGPAGE1 1 — Figure: Delegated Access

Note: If options are not showing available, select Show link in Advanced nav options visible in bottom left corner. If needed, select Hide to minimize options from Advanced nav options mode.

Step 1.2: Create Groups in Managed Tenant.

Open Managed Tenant (MT) in F5 Distributed Cloud Console > select Administration box.

Note: The Managed Tenant is the tenant that you want the Operating Tenant to access and operate.

Select IAM tab > select Groups.
Select + Add Group button.

Note: F5 recommends starting with a monitor and an admin group, but these can be customized.

Note: Setup for Delegated Access in Operating Tenant, start with monitor and admin group. Setup for Delegated Access in Managed Tenant, groups have specific permissions and limitations that allow Operating Tenant users to perform actions within the Managed Tenant. For example, the monitor group may be granted read-only permissions, while the admin group may be granted read and write permission.

Create managed-admin group.
Create managed-monitor group.
Add users to appropriate groups.
Confirm users are in groups.

Note: Refer to Users document on how to Create User Groups and Add Users

Step 1.3: Create Groups and Users in Operating Tenant.

Open Operating Tenant (OT) in F5 Distributed Cloud Console > select Administration box.
Select IAM tab > select Users.
Select + Add User button.
Add Users.

Note: Refer to Users document on how to Create User Groups and Add Users

Select Groups in IAM tab.

Note: F5 recommends starting with a monitor and an admin group, but these can be customized.

Note: Setup for Delegated Access in Operating Tenant, start with monitor and admin group. Setup for Delegated Access in Managed Tenant, groups have specific permissions and limitations that allow Operating Tenant users to perform actions within the Managed Tenant. For example, the monitor group may be granted read-only permissions, while the admin group may be granted read and write permission.

Add admin group.
Add monitor group.
Confirm users are in groups.

Note: Open group with down arrow, and users will show in JSON username.

Step 2: Delegate Access from Managed Tenant.

Open Managed Tenant (MT) in F5 Distributed Cloud Console > select Administration box.

Note: Managed Tenant is the tenant that grants access to Operating Tenant users.

HOME DELEGATEDACCESSBOX — Figure: Delegated Access

Select IAM tab > select Delegated Access.
Select + Add Allowed Tenant button.

Note: User status Admin is required for adding and editing tenant delegated access options.

DELEGATEDACCESSADD — Figure: Add Allowed Tenant

Step 3: Add Operating Tenant as an Allowed Tenant for Delegated Access.

Delegate Access to Managed Tenant by adding Operating Tenant as an Allowed Tenant.

Enter Name, add labels, or Description as necessary.
Enter Allowed Tenant ID.

Note: User needs to enter tenant ID for operating tenant.

DELEGATEDACCESSADDFORM — Figure: Allowed Tenant ID

In Allowed Groups > select + Add Item button.
Add allowed groups for access in drop-down menu.

Note: Select groups you configured in the operating tenant.

ALLOWEDITEMSADDGROUPS — Figure: Allowed Groups

Select Save and Exit button.
Status will show as pending (yellow) until Active (green).

Note: Status will be pending until operating tenant completes form.

Step 4: Add Access Mapping for Operating Tenant.

Enable delegated access for Operating Tenant (OT), the operator needing access.

Open Operating Tenant (OT) in F5 Distributed Cloud Console > select Delegated Access box.

Select Manage, select Access Mapping.

Note: Delegated Access is an add-on service, and not enabled without email request.

Select Add Access Mapping button.

ADDACCESSMAPPING1 1 — Figure: Add Access Mapping

Step 5: Setup Access Mapping.

Enter Name, labels, or Description as necessary.

Note: Name: Tenant (Access Mapping Configuration) that you want to manage.

Select Managed Tenant Type drop-down menu.
- Select Existing Tenant
Note: You cannot create a new tenant, but can access existing tenants.
Select Managed Tenant ID drop-down menu to select tenant from service API list.

ACCESSMAPPINGFORM — Figure: Access Mapping

Step 6: Add Group Mapping.

Note: Operating Tenant Groups: admin and monitor.

Note: Managed Tenant Groups: managed-admin and managed-monitor.

In Group Mapping > select + Add Item button.

In Group drop-down menu, select one of your groups from the Operating Tenant.
Group

Note: Users added to each group in Operating Tenant will be able to access managed tenant group and assume roles and permissions available to Managed Tenant.

admin
monitor
Managed Tenant Group
- managed-admin
- managed-monitor
Note: Communicate tenant and group names to managed tenant owner so they can be activated.
Select Apply button.
Select Save and Exit button.