BIG-IP user with an Administrator or User Manager role, can assign user roles to other BIG-IP user accounts. Specifically, for each BIG-IP user account, you can assign a specific user role to each administrative partition to which you grant the user access. In this way, you can control the BIG-IP configuration objects that the user can manage, as well as the types of actions the user can perform on those objects.
Roles - Administrator, Resource Administrator and Auditor are described in table below with use cases.
|
User Role |
Description |
Write Access |
Read Access |
No Access |
SHELL |
|---|---|---|---|---|---|
|
Administrator |
Administrator user role grants users complete access to all objects on the system. Users with this role cannot have other user roles on the system. |
All objects on the system. |
All objects on the system. |
Not applicable |
BASH |
|
Resource Administrator |
Resource Administrator role grants a user access to all objects on the system except BIG-IP user accounts. With respect to user accounts, a user with this role can view a list of all user accounts on the system but cannot view or change user account properties except for their own user account. Users with this role cannot have other user roles on the system. |
Most objects on the system, including their own password. |
Most objects on the system, including the list of user accounts. |
Most objects on the system, including the list of user accounts. |
BASH |
|
Auditor |
Auditor role grants read-only access to all configuration data on the system, except for ARP data, archives, and support tools. Users with this role cannot have other user roles on the system but can change their own user account password. When granted terminal access, a user with this role has access to TMSH, but not the advanced shell. |
Their own user account password. |
Most objects on the system, in all partitions. |
ARP entries, archives, the advanced shell, and support tools. |
TMSH |
Scan account for a successful scan needs:
Role: auditor
Partition: all-partitions
Shell: tmsh
Create a scan user account with privilege level 3.
Here are the steps:
1) Log in to tmsh by typing the following command:
tmsh
2) To create a new user, use the following command syntax:
create /auth user <user_name> partition-access add { <parition_name> { role <role> } } prompt-for-password shell <shell>
3) Scan User partition, role and shell options needs to set as below:
create /auth user qualys_scan partition-access add { all-partitions { role auditor } } prompt-for-password shell tmsh
changing password for qualys_scan
new password:
confirm password:
By default, the CLI Preference display-threshold is set to 100, which will trigger the question "Display all [number] items? (y/n)" when more than 100 items are configured.
Required Action:
Configure CLI Preference to disable paging and display-threshold set to 0
Login to the TMSH using the appropriate user credentials.
Note: There is no built-in option in the BigIP F5 tmsh shell to disable the pager on a per-login basis. The "modify cli preference pager" command affects the entire tmsh session and is persistent across commands within that session.
1. modify cli preference pager disabled display-threshold 0
2. save sys config
Target Type ID: F5 BIG-IP with TMOS Shell (PC)