Minimum Privileges for Scan User Account to scan F5OS

F5OS is the operating system used by newer hardware platforms from F5, Inc. It is designed to run and manage F5 application delivery and security services.

In platforms from F5, Inc. running F5OS, the principle of least privilege is implemented through Role-Based Access Control (RBAC). The objective is to grant a user only the permissions required to perform their task, and no more.

Add a user from the CLI

To create users from the Command Line Interface (CLI), refer to the following steps:

  1. Log in to the system's CLI using an account with administrative access.
    When you log in to the system, you are in user (operational) mode.
  2. Change to configuration mode.

    config

    The CLI prompt changes to include (config).
  3. Add a user. 

    system aaa authentication users user <user-name> config username <user-name> role <role>
    system aaa authentication users user scanuser config username scanuser role operator

    The minimum privillege role, the operator role, has read-only access to every screen and configuration object at the level at which they are working.
  4. Commit the configuration changes.

    commit

Set password from the CLI

You can set an admin users password from the CLI. To do so, refer to the following steps:

  1. Set password for user:

    system aaa authentication users user <user-name> config set-password

    For example: system aaa authentication users user scanuser config set-password

    Note: The system prompts you to set a new password for the specified user.
  2. Commit the configuration changes.

    commit

Configuration Example:

r10900-2(config)# system aaa authentication users user scanuser config username scanuser role operator
r10900-2(config-user-scanuser )# commit
Commit complete.
r10900-2(config-user-scanuser )# config set-password
Value for 'password' (<string>): **************
r10900-2(config-user-scanuser )#

Add users from the webUI

  1. Log in to the webUI using an account with admin access.
  2. Select USER MANAGEMENT > Users.
  3. Select Add
  4. For Username, create a name for the user.
  5. For Set Password, create a valid password according to the local password policy defined in the Auth Settings.
  6. For Confirm Password, retype the password.
  7. From the Role list, select the operator role.

    Operator - Provides read access to the system. Has write access to change the password only.
  8. Select Save and Close.

Authentication Record in Policy Audit

To create a new Unix record using the target type as F5OS, refer to the following steps:

  1. Navigate to Scans > Authentication.
  2. Select New > Operating Systems > Unix.
    The New Unix Record window is displayed.
  3. Select Login Credentials.
  4. Under Target Type, select F5OS.

  5. Enter the other required details and select Create.
    The new Unix authentication record for the target type F5OS is created.

The Operator role has the minimum privilege levels required to perform control scanning.

 

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: April, 2026