Bug ID 741109: Application Security Operations Adminstrator AuthZ role

Last Modified: Jun 13, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5, 14.1.0.6

Fixed In:
15.0.0

Opened: Aug 20, 2018
Severity: 3-Major

Symptoms

The existing AuthZ roles for Application Security are: -- Application Security Administrator (aka ASA aka WASA) -- Application Security Editor (aka ASE aka WASE) ASA is an administrator role and has significant authority to make device-wide changes. On the other hand, ASE is very limited in capabilities.

Impact

ASOA will not be able to create or delete Virtual Servers or LTM policies in GUI or in tmsh.

Conditions

There is a specific demand for a role which can manipulate virtual server association for ASM, but is not an administrator.

Workaround

You can use the ASA role to perform required tasks.

Fix Information

A new role was added, to be called Application Security Operations Administrator (aka ASOA) which can associate and disassociate ASM policies and Logging Profiles with Virtual Servers. ASOA will have the same capabilities as ASE. Additionally, on the 'Virtual Server:: Security :: Policies' GUI page, ASOA will be able to: -- associate ASM policy with virtual server (which will implicitly create a LTM policy for the association). -- disassociate ASM policy from virtual server (which will implicitly delete the associated L7 policy). -- associate Logging Profile with virtual server. -- disassociate Logging Profile with virtual server. -- associate DoS Profile with virtual server. -- disassociate DoS Profile from virtual server. -- associate Bot Profile with virtual server. -- disassociate Bot Profile from virtual server. -- ASOA will also be able to associate and disassociate these policies/profiles from the 'Security :: Overview :: Summary' page. ASOA will have read access to the virtual server list and LTM policy list in both GUI and tmsh. ASOA will also be able to modify the list of LTM policies associated with a virtual server in both GUI and tmsh.

Behavior Change