Roles
On This Page:
Objective
This guide provides information on F5® Distributed Cloud Services Role-based Access Control (RBAC) and instructions on how to manage it. RBAC is used to define and enforce user capabilities while using the platform.
Roles and Privileges
A role is a collection of allowed API groups. One or more roles can be assigned to a user in a given namespace. The overall effect will be the sum total of all allowed API groups from each assigned role. In a tenant, there are three kinds of namespaces - system, shared, and application namespaces. Role assignments require explicit assignment of roles in the system and shared namespaces. For application namespaces, the user can choose to assign roles specifically to a namespace, for example, default namespace, or target assigning roles to all application namespaces by choosing the option All application namespaces when assigning via F5 Distributed Cloud Console or use * as namespace value in API request payload.
Every user has one or more roles assigned, and these roles are mapped to certain set of privileges. The privileges define what actions the user is allowed to perform. The privileges are identified by the API groups in F5® Distributed Cloud Console, and an API group defines which all actions (APIs) are allowed under it.
The RBAC consists of the following types of roles:
- Default Roles
The default roles are predefined in the system and cannot be changed or customized. You can use these roles in controlling the privileges or abilities of users. The following table lists out default roles and the associated privileges:
Note: The column name
Categoryindicates API groups and rest of the column names are the default role names. Values presented in the columns are the allowed privileges.
| Category | Default-role | Admin | Network-admin | Developer | Monitor | Power-Developer | infra-admin | Billing | Uam-admin | Develop-monitor | voltshare-admin | sec-ops | Tasks |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| UAM-read | Allow | Allow | Allow | Allow | Allow | ||||||||
| UAM-write | Allow | Allow | |||||||||||
| UAM-admin-read | Allow | Allow | |||||||||||
| UAM-admin-write | Allow | Allow | |||||||||||
| infrastructure-read | Allow | Allow | Allow | Allow | Allow | ||||||||
| infrastructure-write | Allow | Allow | |||||||||||
| proxy-read | Allow | Allow | Allow | Allow | Allow | Allow | |||||||
| proxy-write | Allow | Allow | Allow | ||||||||||
| general-read | Allow | Allow | Allow | Allow | Allow | ||||||||
| general-write | Allow | Allow | Allow | ||||||||||
| Proxy-Monitor-read | Allow | Allow | Allow | Allow | Allow | ||||||||
| Proxy-Monitor-write | Allow | Allow | |||||||||||
| Network-read | Allow | Allow | Allow | Allow | Allow | ||||||||
| Network-write | Allow | Allow | |||||||||||
| Internal-read | Allow | Allow | Allow | Allow | |||||||||
| Internal-write | Allow | ||||||||||||
| Proxy-security-read | Allow | Allow | Allow | Allow | Allow | ||||||||
| Proxy-security-write | Allow | Allow | |||||||||||
| Infra-monitor-read | Allow | Allow | Allow | Allow | |||||||||
| Infra-monitor-write | Allow | ||||||||||||
| Labels-read | Allow | Allow | Allow | Allow | Allow | Allow | |||||||
| Labels-write | Allow | Allow | Allow | ||||||||||
| Secrets-read | Allow | Allow | Allow | Allow | Allow | Allow | |||||||
| Secrets-write | Allow | Allow | Allow | ||||||||||
| volt-share-read | Allow | Allow | Allow | Allow | Allow | ||||||||
| volt-share-write | Allow | Allow | |||||||||||
| Monitor-read | Allow | Allow | Allow | Allow | Allow | Allow | |||||||
| Monitor-write | Allow | Allow | Allow | ||||||||||
| IaaS/CaaS-read | Allow | Allow | Allow | Allow | Allow | Allow | |||||||
| IaaS/CaaS-write | Allow | Allow | |||||||||||
| Virtual_sites-read | Allow | Allow | Allow | Allow | Allow | Allow | |||||||
| Virtual_sites-write | Allow | Allow | Allow | ||||||||||
| Proxy-WAF-read | Allow | Allow | Allow | Allow | Allow | Allow | |||||||
| Proxy-WAF-write | Allow | Allow | Allow | ||||||||||
| Billing-read | Allow | Allow | Allow | Allow | Allow | ||||||||
| Billing-write | Allow | Allow | |||||||||||
| Support-read | Allow | Allow | Allow | Allow | |||||||||
| Support-write | Allow | Allow | |||||||||||
| ves-io-k8s-read | Allow | Allow | Allow | ||||||||||
| ves-io-k8s-write | Allow | ||||||||||||
| ves-io-local-k8s-write | Allow | Allow | Allow | Allow | |||||||||
| stored-object-read | Allow | Allow | Allow | Allow | Allow | ||||||||
| stored-object-write | Allow | Allow | Allow | ||||||||||
| web-access | Allow | Allow | Allow(CRUD) | Allow | Allow | Allow | Allow | Allow | Allow | Allow |
Note: Role is needed to enable the admin functions to add additional users.
(CRUD) Create, read, update, and delete.
(R)= Read access CRUD= Read and Write access in console for user.
This table classifies privileges in terms of the Create, Read, Update, and Delete (CRUD) operations. For example, entry Allow for the API groups ves-io-uam-read and ves-io-uam-write against the Admin role means that all CRUD operations are allowed on the API group for the admin role. Each role name in F5® Distributed Cloud Console is prefixed with ves-io string and suffixed with role string. For example, the default role is identified by the ves-io-default-role name.
Power-Developer, is developer plus monitor access combined.
Note: ves-io, is default, built in roles that come with tenant in tenants ready to use when user sets up console.
- Custom Roles
You can create roles and customize them by assigning one or more API groups. These roles can be assigned to users, and can also be updated or removed as needed.
Note: A user is required to have at least one of the
ves-io-monitor-role,ves-io-power-developer-role,ves-io-admin-roleroles for a namespace to appear in the namespace dropdown in the F5® Distributed Cloud Console.
Prerequisites
A valid Account is required.
- Note: If you do not have an account, visit Create an Account.
View RBAC Policy Rules and API Groups
You can view the predefined RBAC policy rules, and the various API groups information in the F5® Distributed Cloud Console.
Features can be viewed, and managed in multiple services.
This example shows Roles setup in Administration.
Step 1: Log into F5 Distributed Cloud Console, view in-built policies.
- Open
F5® Distributed Cloud Consolehomepage, selectAdministrationbox.
Note: Homepage is role based, and your homepage may look different due to your role customization. Select
All Servicesdrop-down menu to discover all options. Customize Settings:Administration>Personal Management>My Account>Edit work domain & skillsbutton >Advancedbox > checkWork Domainboxes >Save changesbutton.
Note: Confirm
Namespacefeature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.
- Select
IAMin left column menu > selectRoles.
Note: If options are not showing available, select
Showlink inAdvanced nav options visiblein bottom left corner. If needed, selectHideto minimize options from Advanced nav options mode.
Note: ves-io, is default, built in roles that come with tenant in tenants ready to use when user sets up console.
- Select
>for any policy from the displayed list to view the policy information in JSON format.
Note: The
api_groupsfield in the displayed information shows the API groups associated with the rule.
Step 2: View API groups.
-
Select
..., or the linked number underAPI Groupscolumn to view or edit. -
Select
>for any group from the displayed list to view the group information in JSON format.
Note: The
elementsfield in the displayed information shows the APIs associated with the group.
Step 3: View the APIs associated with an API group.
Select linked number in Elements column against any API displayed in the list to view the APIs in another window.
Note: Roles are assigned to namespace, Shared applies to all services except system and application. System and application are restricted as they are management namespaces for development, SeCops, etc. and not everyone needs or is allowed to access these areas of the console
Create a Role
Perform the following to create a role, and assign API groups to it:
Step 1: Navigate to role configuration, open role creation form.
-
Select
Administrationbox in F5 Distributed Cloud Console homepage. -
Select
IAMin left column menu > selectRoles>+ Create role.
Step 2: Select API groups for the role.
- Enter
nameinRolebox in pop-up window.
Note: Naming your custom role, use the
RFC 1035naming protocol, you can use a-z alphabetical characters, - , and 0-9 numerical characters. The first two characters MUST be lower-case a-z alphabetical characters. Example: aa-role2-k8s
- Select
Allowed API Groups.
Note: Roles are assigned to namespace, Shared applies to all services except system and application. System and application are restricted as they are management namespaces for development, SeCops, etc. and not everyone needs or is allowed to access these areas of the console
- Select
Allowed API Groupsby checking box.
Note: Anytime you add objects to a namespace after creating a role it doesn't automatically give role access, you have to add manually.
- Select
Saveto add the API groups to the role.
This example creates a custom role infrawatcher with the ves-io-infra-monitor-read and ves-io-infra-monitor-write groups.
Note: Select the value under the
Elementscolumn to view the list of APIs that are part of the associated group.
Step 3: Assign additional roles.
Select Save to create the role.
Step 4: Add additional role access.
Note: Anytime you add objects to a namespace it doesn't automatically give role access, you have to add manually.
-
In
Administration>IAM>Roles. -
Select
Roleyou want to edit. -
Select
...> selectEditpop-up window option. -
Select
+ Allowed API Groupsbutton. -
Check boxes of
Name,Namespace, andElementsrows you want to add access to the open role.
Note: Roles are assigned to namespace, Shared applies to all services except system and application. System and application are restricted as they are management namespaces for development, SeCops, etc. and not everyone needs or is allowed to access these areas of the console
-
Select
>to see more options on next pages. -
Select
Savebutton to update role access.
Create Tenant-Level RBAC Policies
F5 Distributed Cloud Services provides ability to control Console access through RBAC policies. Tenants can raise service request, and provide list of RBAC policies to apply to platform access.
RBAC policy rules are same as service policy rules. For example, tenant can request to enable a rule to allow or deny access based on parameters such as source IP address, ASN, country, etc. See Service Policy API for more information.
When this tenant-level RBAC policy is enabled, it is prioritized over any user-defined and shared RBAC policies.
See Raise Support Request for instructions on how to raise support requests.