Delegated Access
Objective
This guide provides instructions on how to enable Delegated Access in F5 Distributed Cloud Console. To learn more about users, see Users.
Delegated Access provides the ability for one tenant to grant access and permissions to users from another tenant. Delegated Access can be leveraged to provide a third party with access to your tenant in order to manage your services and configurations.
A common scenario for Delegated Access is when a consultant, or system integrator is providing expertise, advice, and service management to a client. The consultant is responsible for ensuring that various services within F5 Console work seamlessly and efficiently. This often involves configuring and maintaining product configuration, as well as providing ongoing support and guidance to the client.
In this scenario, the consultant needs access to the client's tenant in order to monitor and edit service configuration. The client grants the consultant's users access to the client tenant, and the consultant's users access the client's tenant and assume the permissions granted by the client.
The instructions in this document will demonstrate how one tenant can grant access to a different tenant via Delegated Access in F5 Distributed Cloud Console.
Delegated Access Overview
Delegated Access is a feature of the F5 Distributed Cloud platform that allows you to grant access and permissions to users from another tenant. The initial release of this feature is being launched as a private preview. We are evaluating customer use cases individually and enabling Delegated Access on a case by case basis. Feel free to reach out to us at delegated-access@cloud.f5.com, and we will be in touch.
Delegated Access involves two tenants: Managed Tenant (MT), grants access, and Operating Tenant (OT), receives access.
Managed Tenant (MT): A tenant that receives access and is typically owned by a consultant or system integrator. This tenant is operated by the consultant or system integrator and receives access from Managed Tenant.
Note: The Managed Tenant is the tenant being managed, and owned by the end customer who is buying F5 services.
Operating Tenant (OT): A tenant that grants access and is being managed, typically owned by an end customer, where the customer's resources and applications reside. This tenant is owned by the end customer and is where the customer's resources and applications reside.
Note: Operating Tenant that is typically owned by a consultant or system integrator is granted access by the Managed Tenant, and the Operating Tenants users are able to perform actions within the Managed Tenant.
Allowed Tenant: An Operating Tenant that has been granted access to a Managed Tenant, and can perform actions within and by the Managed Tenant.
Access Mapping: Access Mapping is a feature in Delegated Access that allows for the assignment of permissions from a local group in the Operating Tenant to a remote group in the Managed Tenant. This grants Operating Tenant users access to the Managed Tenant and dictates the level of permissions they have within it. When an Operating Tenant user accesses the Managed Tenant, they assume the roles and permissions of the mapped group.
Prerequisites
- F5 Distributed Cloud Account is required.
Note: In case you do not have an account, see Create an Account.
Delegated Access
Steps to enable Delegated Access:
The Operating Tenant and Managed Tenant configurations need to be completed in each tenant for Delegated Access functionality to operate properly. The Operating Tenant or Managed Tenant can start the process. In this document we will start with setting up the Operating Tenant first.
Step 1: Open F5® Distributed Cloud Console, enable Operating Tenant Delegated Access.
Enable Delegated Access for the Operating Tenant.- Open
F5® Distributed Cloud Console
> selectDelegated Access
box.
Note: Homepage is role based, and your homepage may look different due to your role customization. Select
All Services
drop-down menu to display all options. Customize Settings:Administration
>Personal Management
>My Account
>Edit work domain & skills
button >Advanced
box > checkWork Domain
boxes >Save changes
button.
- Email
delegated-access@cloud.f5.com
to request add-on service to be enabled.
Note: Delegated Access is an add-on service, and not enabled without email request.
Note: If options are not showing available, select
Show
link inAdvanced nav options visible
in bottom left corner. If needed, selectHide
to minimize options from Advanced nav options mode.
Step 1.2: Create Groups in Managed Tenant.
- Open Managed Tenant (MT) in
F5 Distributed Cloud Console
> selectAdministration
box.
Note: The Managed Tenant is the tenant that you want the Operating Tenant to access and operate.
-
Select
IAM
tab > selectGroups
. -
Select
+ Add Group
button.
Note: F5 recommends starting with a monitor and an admin group, but these can be customized.
Note: Setup for Delegated Access in Operating Tenant, start with monitor and admin group. Setup for Delegated Access in Managed Tenant, groups have specific permissions and limitations that allow Operating Tenant users to perform actions within the Managed Tenant. For example, the monitor group may be granted read-only permissions, while the admin group may be granted read and write permission.
-
Create
managed-admin
group. -
Create
managed-monitor
group. -
Add
users
to appropriate groups. -
Confirm users are in groups.
Note: Refer to Users document on how to Create User Groups and Add Users
Step 1.3: Create Groups and Users in Operating Tenant.
-
Open Operating Tenant (OT) in
F5 Distributed Cloud Console
> selectAdministration
box. -
Select
IAM
tab > selectUsers
. -
Select
+ Add User
button. -
Add
Users
.
Note: Refer to Users document on how to Create User Groups and Add Users
- Select
Groups
inIAM
tab.
Note: F5 recommends starting with a monitor and an admin group, but these can be customized.
Note: Setup for Delegated Access in Operating Tenant, start with monitor and admin group. Setup for Delegated Access in Managed Tenant, groups have specific permissions and limitations that allow Operating Tenant users to perform actions within the Managed Tenant. For example, the monitor group may be granted read-only permissions, while the admin group may be granted read and write permission.
-
Add
admin
group. -
Add
monitor
group. -
Confirm users are in groups.
Note: Open group with down arrow, and users will show in JSON
username
.
Step 2: Delegate Access from Managed Tenant.
- Open Managed Tenant (MT) in
F5 Distributed Cloud Console
> selectAdministration
box.
Note: Managed Tenant is the tenant that grants access to Operating Tenant users.
-
Select
IAM
tab > selectDelegated Access
. -
Select
+ Add Allowed Tenant
button.
Note: User status
Admin
is required for adding and editing tenant delegated access options.
Step 3: Add Operating Tenant as an Allowed Tenant for Delegated Access.
Delegate Access to Managed Tenant by adding Operating Tenant as an Allowed Tenant.
-
Enter
Name
, addlabels
, orDescription
as necessary. -
Enter
Allowed Tenant ID
.
Note: User needs to enter tenant ID for operating tenant.
-
In
Allowed Groups
> select+ Add Item
button. -
Add allowed groups for access in drop-down menu.
Note: Select groups you configured in the operating tenant.
-
Select
Save and Exit
button. -
Status
will show as pending (yellow) untilActive
(green).
Note: Status will be pending until operating tenant completes form.
Step 4: Add Access Mapping for Operating Tenant.
Enable delegated access for Operating Tenant (OT), the operator needing access.
- Open Operating Tenant (OT) in
F5 Distributed Cloud Console
> selectDelegated Access
box.
- Select
Manage
, selectAccess Mapping
.
Note: Delegated Access is an add-on service, and not enabled without email request.
- Select
Add Access Mapping
button.
Step 5: Setup Access Mapping.
- Enter
Name
,labels
, orDescription
as necessary.
Note:
Name
: Tenant (Access Mapping Configuration) that you want to manage.
-
Select
Managed Tenant Type
drop-down menu.- Select
Existing Tenant
Note: You cannot create a new tenant, but can access existing tenants.
- Select
-
Select
Managed Tenant ID
drop-down menu to select tenant from service API list.
Step 6: Add Group Mapping.
Note: Operating Tenant Groups:
admin
andmonitor
.
Note: Managed Tenant Groups:
managed-admin
andmanaged-monitor
.
- In
Group Mapping
> select+ Add Item
button.
-
In
Group
drop-down menu, select one of your groups from the Operating Tenant. -
Group
Note: Users added to each group in Operating Tenant will be able to access managed tenant group and assume roles and permissions available to Managed Tenant.
-
admin
-
monitor
-
Managed Tenant Group
-
managed-admin
-
managed-monitor
Note: Communicate tenant and group names to managed tenant owner so they can be activated.
-
-
Select
Apply
button. -
Select
Save and Exit
button.
Step 7: Confirm Access.
Status
will show asPending
(yellow) untilActive
(green).
Note: Status will be pending until an Admin in the Managed Tenant activates request.
Step 8: View Managed Tenants from Operating Tenant.
- Open Operating Tenant in
F5 Distributed Cloud Console
> selectDelegated Access
box.
-
Select
Tenants
> selectOverview
. -
Managed tenants available for access from operating tenant will show.
Step 9: Access Managed Tenants from Operating Tenant.
-
In
Delgated Access
box > selectTenants
. -
Select
Overview
> selectVisit Tenant
link.
- Tenant access opens in F5 Distributed Cloud Console homepage screen as operating tenant of managed tenant.
Note: Blue banner will show on top of window of the Managed Tenant
Managed Tenant: OT Tenant Name > MT Tenant Name
.