Roles

Objective

This guide provides information on F5® Distributed Cloud Services Role-based Access Control (RBAC) and instructions on how to manage it. RBAC is used to define and enforce user capabilities while using the platform.


Roles and Privileges

A role is a collection of allowed API groups. One or more roles can be assigned to a user in a given namespace. The overall effect will be the sum total of all allowed API groups from each assigned role. In a tenant, there are three kinds of namespaces - system, shared, and application namespaces. Role assignments require explicit assignment of roles in the system and shared namespaces. For application namespaces, the user can choose to assign roles specifically to a namespace, for example, default namespace, or target assigning roles to all application namespaces by choosing the option All application namespaces when assigning via F5 Distributed Cloud Console or use * as namespace value in API request payload.

Every user has one or more roles assigned, and these roles are mapped to certain set of privileges. The privileges define what actions the user is allowed to perform. The privileges are identified by the API groups in F5® Distributed Cloud Console, and an API group defines which all actions (APIs) are allowed under it.

The RBAC consists of the following types of roles:

  1. Default Roles

The default roles are predefined in the system and cannot be changed or customized. You can use these roles in controlling the privileges or abilities of users. The following table lists out default roles and the associated privileges:

Note: The column name Category indicates API groups and rest of the column names are the default role names. Values presented in the columns are the allowed privileges.

Category Default-role Admin Network-admin Developer Monitor Power-Developer infra-admin Billing Uam-admin Develop-monitor voltshare-admin sec-ops Tasks
UAM-read Allow Allow Allow Allow Allow
UAM-write Allow Allow
UAM-admin-read Allow Allow
UAM-admin-write Allow Allow
infrastructure-read Allow Allow Allow Allow Allow
infrastructure-write Allow Allow
proxy-read Allow Allow Allow Allow Allow Allow
proxy-write Allow Allow Allow
general-read Allow Allow Allow Allow Allow
general-write Allow Allow Allow
Proxy-Monitor-read Allow Allow Allow Allow Allow
Proxy-Monitor-write Allow Allow
Network-read Allow Allow Allow Allow Allow
Network-write Allow Allow
Internal-read Allow Allow Allow Allow
Internal-write Allow
Proxy-security-read Allow Allow Allow Allow Allow
Proxy-security-write Allow Allow
Infra-monitor-read Allow Allow Allow Allow
Infra-monitor-write Allow
Labels-read Allow Allow Allow Allow Allow Allow
Labels-write Allow Allow Allow
Secrets-read Allow Allow Allow Allow Allow Allow
Secrets-write Allow Allow Allow
volt-share-read Allow Allow Allow Allow Allow
volt-share-write Allow Allow
Monitor-read Allow Allow Allow Allow Allow Allow
Monitor-write Allow Allow Allow
IaaS/CaaS-read Allow Allow Allow Allow Allow Allow
IaaS/CaaS-write Allow Allow
Virtual_sites-read Allow Allow Allow Allow Allow Allow
Virtual_sites-write Allow Allow Allow
Proxy-WAF-read Allow Allow Allow Allow Allow Allow
Proxy-WAF-write Allow Allow Allow
Billing-read Allow Allow Allow Allow Allow
Billing-write Allow Allow
Support-read Allow Allow Allow Allow
Support-write Allow Allow
ves-io-k8s-read Allow Allow Allow
ves-io-k8s-write Allow
ves-io-local-k8s-write Allow Allow Allow Allow
stored-object-read Allow Allow Allow Allow Allow
stored-object-write Allow Allow Allow
web-access Allow Allow Allow(CRUD) Allow Allow Allow Allow Allow Allow Allow

Note: Role is needed to enable the admin functions to add additional users.

(CRUD) Create, read, update, and delete.

(R)= Read access CRUD= Read and Write access in console for user.

This table classifies privileges in terms of the Create, Read, Update, and Delete (CRUD) operations. For example, entry Allow for the API groups ves-io-uam-read and ves-io-uam-write against the Admin role means that all CRUD operations are allowed on the API group for the admin role. Each role name in F5® Distributed Cloud Console is prefixed with ves-io string and suffixed with role string. For example, the default role is identified by the ves-io-default-role name.

Power-Developer, is developer plus monitor access combined.

Note: ves-io, is default, built in roles that come with tenant in tenants ready to use when user sets up console.

  1. Custom Roles

You can create roles and customize them by assigning one or more API groups. These roles can be assigned to users, and can also be updated or removed as needed.

Note: A user is required to have at least one of the ves-io-monitor-role, ves-io-power-developer-role, ves-io-admin-role roles for a namespace to appear in the namespace dropdown in the F5® Distributed Cloud Console.


Prerequisites

A valid Account is required.


View RBAC Policy Rules and API Groups

You can view the predefined RBAC policy rules, and the various API groups information in the F5® Distributed Cloud Console.

Features can be viewed, and managed in multiple services.

This example shows Roles setup in Administration.

Step 1: Log into F5 Distributed Cloud Console, view in-built policies.
  • Open F5® Distributed Cloud Console homepage, select Administration box.

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to discover all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

NEW HOMEPAGE 22
Figure: Homepage

Note: Confirm Namespace feature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.

  • Select IAM in left column menu > select Roles.

Note: If options are not showing available, select Show link in Advanced nav options visible in bottom left corner. If needed, select Hide to minimize options from Advanced nav options mode.

ROLES2 2
Figure: Open Roles

Note: ves-io, is default, built in roles that come with tenant in tenants ready to use when user sets up console.

  • Select > for any policy from the displayed list to view the policy information in JSON format.

ROLES2 4
Figure: In-built RBAC Policy Rules

Note: The api_groups field in the displayed information shows the API groups associated with the rule.

Step 2: View API groups.
  • Select ..., or the linked number under API Groups column to view or edit.

  • Select > for any group from the displayed list to view the group information in JSON format.

ROLES CREATE3 1
Figure: API Group Information

Note: The elements field in the displayed information shows the APIs associated with the group.

Step 3: View the APIs associated with an API group.

Select linked number in Elements column against any API displayed in the list to view the APIs in another window.

USERMANAGEMENT ROLES 6
Figure: API Group List

ROLES APIELEMENTS6 2
Figure: API Group Elements

Note: Roles are assigned to namespace, Shared applies to all services except system and application. System and application are restricted as they are management namespaces for development, SeCops, etc. and not everyone needs or is allowed to access these areas of the console


Create a Role

Perform the following to create a role, and assign API groups to it:

Step 1: Navigate to role configuration, open role creation form.
  • Select Administration box in F5 Distributed Cloud Console homepage.

  • Select IAM in left column menu > select Roles > + Create role.

ROLES CREATE3 1
Figure: Navigate to Roles

Step 2: Select API groups for the role.
  • Enter name in Role box in pop-up window.

Note: Naming your custom role, use the RFC 1035 naming protocol, you can use a-z alphabetical characters, - , and 0-9 numerical characters. The first two characters MUST be lower-case a-z alphabetical characters. Example: aa-role2-k8s

  • Select Allowed API Groups.

Note: Roles are assigned to namespace, Shared applies to all services except system and application. System and application are restricted as they are management namespaces for development, SeCops, etc. and not everyone needs or is allowed to access these areas of the console

  • Select Allowed API Groups by checking box.

Note: Anytime you add objects to a namespace after creating a role it doesn't automatically give role access, you have to add manually.

  • Select Save to add the API groups to the role.

This example creates a custom role infrawatcher with the ves-io-infra-monitor-read and ves-io-infra-monitor-write groups.

ROLES APIGROUPS3 2
Figure: API Group Selection

Note: Select the value under the Elements column to view the list of APIs that are part of the associated group.

Step 3: Assign additional roles.

Select Save to create the role.

role conf
Figure: Role Configuration and Creation

Step 4: Add additional role access.

Note: Anytime you add objects to a namespace it doesn't automatically give role access, you have to add manually.

  • In Administration > IAM > Roles.

  • Select Role you want to edit.

  • Select ... > select Edit pop-up window option.

  • Select + Allowed API Groups button.

  • Check boxes of Name, Namespace, and Elements rows you want to add access to the open role.

Note: Roles are assigned to namespace, Shared applies to all services except system and application. System and application are restricted as they are management namespaces for development, SeCops, etc. and not everyone needs or is allowed to access these areas of the console

  • Select > to see more options on next pages.

  • Select Save button to update role access.


Create Tenant-Level RBAC Policies

F5 Distributed Cloud Services provides ability to control Console access through RBAC policies. Tenants can raise service request, and provide list of RBAC policies to apply to platform access.

RBAC policy rules are same as service policy rules. For example, tenant can request to enable a rule to allow or deny access based on parameters such as source IP address, ASN, country, etc. See Service Policy API for more information.

When this tenant-level RBAC policy is enabled, it is prioritized over any user-defined and shared RBAC policies.

See Raise Support Request for instructions on how to raise support requests.


Concepts