Delegated Access

Published April 5, 2023 | Last modified March 20, 2025

Objective

This guide provides instructions on how to enable Delegated Access in F5 Distributed Cloud Console. To learn more about users, see Users.

Delegated Access provides the ability for one tenant to grant access and permissions to users from another tenant. Delegated Access can be leveraged to provide a third party with access to your tenant in order to manage your services and configurations.

A common scenario for Delegated Access is when a consultant, or system integrator is providing expertise, advice, and service management to a client. The consultant is responsible for ensuring that various services within F5 Console work seamlessly and efficiently. This often involves configuring and maintaining product configuration, as well as providing ongoing support and guidance to the client.

In this scenario, the consultant needs access to the client's tenant in order to monitor and edit service configuration. The client grants the consultant's users access to the client tenant, and the consultant's users access the client's tenant and assume the permissions granted by the client.

The instructions in this document will demonstrate how one tenant can grant access to a different tenant via Delegated Access in F5 Distributed Cloud Console.

Delegated Access Overview

Delegated Access is a feature in the F5 Distributed Cloud platform that allows you to grant access and permissions to users from another tenant. Delegated access is offered as a private preview, and you will need to raise a request to enable it. To know more, reach out via delegated-access@cloud.f5.com, and F5 Distributed Cloud Services will get in touch with you

Delegated Access involves two tenants: Managed Tenant (MT), grants access, and Operating Tenant (OT), receives access.

Managed Tenant (MT): A tenant that grants access and is being managed, typically owned by an end customer, where the customer's resources and applications reside. This tenant is owned by the end customer and is where the customer's resources and applications reside.

Note: The Managed Tenant is the tenant being managed, and owned by the end customer who is buying F5 services.

Operating Tenant (OT): A tenant that receives access and is typically owned by a consultant or system integrator. This tenant is operated by the consultant or system integrator and receives access from Managed Tenant.

Note: Operating Tenant that is typically owned by a consultant or system integrator is granted access by the Managed Tenant, and the Operating Tenants users are able to perform actions within the Managed Tenant.

Allowed Tenant: An Operating Tenant that has been granted access to a Managed Tenant, and can perform actions within and by the Managed Tenant.

Access Mapping: Access Mapping is a feature in Tenant Access that allows for the assignment of permissions from a local group in the Operating Tenant to a remote group in the Managed Tenant. This grants Operating Tenant users access to the Managed Tenant and dictates the level of permissions they have within it. When an Operating Tenant user accesses the Managed Tenant, they assume the roles and permissions of the mapped group.

Prerequisites

F5 Distributed Cloud Account is required.

Note: In case you do not have an account, see Create an Account.

Setup Delegated Access

The Operating Tenant and Managed Tenant configurations need to be completed in each tenant for Delegated Access functionality to operate properly. The Operating Tenant or Managed Tenant can start the process. In this document you will start with setting up the Operating Tenant first.

Steps to enable Delegated Access:

Step 1: Open F5 Distributed Cloud Console, enable Operating Delegated Tenant Access.

Enable Delegated Access for the Operating Tenant.

Open F5 Distributed Cloud Console > select Delegated Access box.

Figure: Homepage

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to display all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

Email delegated-access@cloud.f5.com to request add-on service to be enabled.

Note: Delegated Access is an add-on service, and not enabled without email request.

Figure: Delegated Access

Note: If options are not showing available, select Show link in Advanced nav options visible in bottom left corner. If needed, select Hide to minimize options from Advanced nav options mode.

Step 1.2: Create Groups in Managed Tenant.

Open Managed Tenant (MT) in F5 Distributed Cloud Console > select Administration box.

Note: The Managed Tenant is the tenant that you want the Operating Tenant to access and operate.

Select IAM tab > select Groups.
Select + Add Group button.

Figure: Add Group

Note: F5 recommends starting with a monitor and an admin group, but these can be customized.

Create managed-admin group.
Create managed-monitor group.
Add users to appropriate groups.
Confirm users are in groups.

Note: Setup for Tenant Access in Operating Tenant, start with monitor and admin group. Setup for Tenant Access in Managed Tenant, groups have specific permissions and limitations that allow Operating Tenant users to perform actions within the Managed Tenant. For example, the monitor group may be granted read-only permissions, while the admin group may be granted read and write permission.

Figure: Add Group

Note: Refer to Users document on how to Create User Groups and Add Users.

Step 1.3: Create Groups and Users in Operating Tenant.

Open Operating Tenant (OT) in F5 Distributed Cloud Console > select Administration box.
Select IAM tab > select Users.
Select + Add User button.
Add Users.

Note: Refer to Users document on how to Create User Groups and Add Users

Figure: Add Groups

Select Groups in IAM tab.

Note: F5 recommends starting with a monitor and an admin group, but these can be customized.

Add admin group.
Add monitor group.
Confirm users are in groups.

Note: Setup for Tenant Access in Operating Tenant, start with monitor and admin group. Setup for Tenant Access in Managed Tenant, groups have specific permissions and limitations that allow Operating Tenant users to perform actions within the Managed Tenant. For example, the monitor group may be granted read-only permissions, while the admin group may be granted read and write permission.

Figure: Add Group

Note: Open group with down arrow, and users will show in JSON username.

Step 2: Delegate Access from Managed Tenant.

Open Managed Tenant (MT) in F5 Distributed Cloud Console > select Administration box.

Note: Managed Tenant is the tenant that grants access to Operating Tenant users.

Select IAM tab > select Tenant Access.
Select + Add Allowed Tenant button.

Note: User role Admin is required for adding and editing Delegated Tenant access options.

Figure: Add Allowed Tenant

Step 3: Add Operating Tenant as an Allowed Tenant for Delegated Access.

Delegate Access to Managed Tenant by adding Operating Tenant as an Allowed Tenant.

Enter Name.
Add labels or Description as necessary.
Enter Allowed Tenant ID.

Note: User needs to enter tenant ID for operating tenant.

In Allowed Groups > select + Add Item button.
Add allowed groups for access in drop-down menu.

Note: Select groups you configured in the operating tenant.

Figure: Allowed Groups

Select Save and Exit button.
Status will show as pending (yellow) until Active (green).

Note: Status will be pending until operating tenant completes form.

Step 4: Add Access Mapping for Operating Tenant.

Enable Tenant access for Operating Tenant (OT), the operator needing access.

Open Operating Tenant (OT) in F5 Distributed Cloud Console > select Delegated Access box.

Select Manage, select Access Mapping.

Note: Delegated Access is an add-on service, and not enabled without email request.

Select Add Access Mapping button.

Figure: Add Access Mapping

Step 5: Setup Access Mapping.

Enter Name.
Add labels or Description as necessary.

Note: Name: Tenant (Access Mapping Configuration) that you want to manage.

Select Managed Tenant Type drop-down menu.
- Select Existing Tenant.
Note: You cannot create a new tenant, but can access existing tenants.
Select Managed Tenant ID drop-down menu to select tenant from service API list.

Figure: Access Mapping

Step 6: Add Group Mapping.

Operating Tenant Groups: admin and monitor.

Managed Tenant Groups: managed-admin and managed-monitor.

In Group Mapping > select + Add Item button.

Figure: Group Mapping

Note: Users added to each group in Operating Tenant will be able to access managed tenant group and assume roles and permissions available to Managed Tenant.

In Group drop-down menu, select one of your groups from the Operating Tenant.
Managed Tenant Group drop-down menu options:
- managed-admin
- managed-monitor
Note: Communicate tenant and group names to managed tenant owner, so they can be activated.
Select Apply button.
Select Save and Exit button.

Figure: Group Mapping

Step 7: Confirm Access.

Status will show as Pending (yellow) until Active (green).

Note: Status will be pending until an Admin in the Managed Tenant activates request.

Step 8: View Managed Tenants from Operating Tenant.

Open Operating Tenant in F5 Distributed Cloud Console > select Delegated Access box.

Select Tenants > select Overview.
Managed tenants available for access from operating tenant will show.

Step 9: Access Managed Tenants from Operating Tenant.

In Delgated Access box > select Tenants.
Select Overview > select Visit Tenant link.

Figure: Verify Delegated Tenant Access

Delegated tenant access opens in F5 Distributed Cloud Console homepage screen as operating tenant of managed tenant.

Note: Blue banner will show on top of window of the Managed Tenant Managed Tenant: OT Tenant Name > MT Tenant Name.

Delegated Access

Objective

Delegated Access Overview

Prerequisites

Setup Delegated Access

Concepts

On this page: