Bug ID 843305: Users assigned to custom roles deploying objects to BIG-IP devices

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IQ System User Interface(all modules)

Known Affected Versions:
5.4.0, 5.4.0 HF1, 5.4.0 HF2, 6.0.1, 6.0.1.1, 6.0.1.2, 6.1.0, 7.0.0, 7.1.0, 7.1.0.1, 7.1.0.2, 7.1.0.3, 7.1.6, 7.1.6.1, 7.1.7, 7.1.7.1, 7.1.7.2, 7.1.8, 7.1.8.1, 7.1.8.2, 7.1.8.3, 7.1.8.4, 7.1.8.5, 7.1.9, 7.1.9.7, 7.1.9.8, 7.1.9.9

Fixed In:
7.0.0.1

Opened: Oct 25, 2019
Severity: 3-Major

Symptoms

Users assigned to custom roles cannot deploy objects to BIG-IP devices if the custom role was created from the BIG-IQ Roles screen.

Impact

Users assigned to custom roles cannot deploy objects to BIG-IP devices.

Conditions

A custom role (BIG-IQ version 5.4) or custom service role (BIG-IQ version 6.0 and later) created from the BIG-IQ Roles screen.

Workaround

To resolve this issue: 1. From the command line, run the following commands, and then assign the Resource Groups to the custom role you need for the user to deploy specific objects for a service (for example, an ASM policy). # restcurl -X POST /shared/authorization/patch-resource-groups -d '{"resourceGroupName":"Relevant Devices Resource Group","resourceGroupDisplayName":"Relevant Devices Resource Group" ,"resourceGroupDescription":"Resource group containing relevant devices API for use with deployment","referenceExpressionsPatches":[{"targetKind":"cm:global:utility:device-association:deviceassociationstate" ,"referenceExpressions":[{"expression":"/cm/global/utility/device-association"}]}]}' # restcurl -X POST /shared/authorization/patch-resource-groups -d '{"resourceGroupName":"Deploy Configuration Resource Group" ,"resourceGroupDisplayName":"Deploy Configuration Resource Group","resourceGroupDescription":"Resource group containing relevant deploy API for use with deployment" ,"referenceExpressionsPatches":[{"targetKind":"cm:adc-core:tasks:deploy-configuration:deployconfigtaskstate","referenceExpressions":[{"expression":"/cm/adc-core/tasks/deploy-configuration/*"}]}]}' 2. Login as admin. 3. Create a new user, such as 'Exampleuser'. 4. Create a new resource group and add some objects to it, for example: Add POLICIES: WEB APPLICATION SECURITY. 5. Create a new custom service role. a. Add role type, for example 'Web App Security Manager'. b. Set role mode, Strict. c. Add the resource group created in step 1 and 2, as resource groups (in 7.1, skip step 1 and add the Resource Group Deployer). d. Assign user 'Exampleuser' the custom service role. 6. Login as 'Exampleuser', in order to deploy changes, select the object from the CONFIGURATION tab and click on the Deploy action to deploy changes. Note: After creating the Deployment for your selected BIG-IP device(s), you might not be able to see the differences between BIG-IQ and BIG-IP, this is the known issue to be worked on in the future. 7. To access to the history of the deployments, that user must manually navigate to the following URL: https://<big-iq ip>/ui/deployment.

Fix Information

To enable the users assigned to custom roles to deploy objects to BIG-IP devices, add the built-in resource group "Resource Group Deployer" in addition to other resource groups user wants access to. The workflow will be: 1. Login as admin. 2. Create a new user, such as 'Exampleuser'. 3. Create a new resource group and add some objects to it, for example: Add POLICIES: WEB APPLICATION SECURITY. 4. Create a new custom service role. a. Add role type, for example 'Web App Security Manager'. b. Set role mode, Strict. c. Add the resource group created in step 3. In addition, add the built-in RG "Resource Group Deployer" to the resource groups. d. Assign user 'Exampleuser' the custom service role. 5. Login as 'Exampleuser', in order to deploy changes, select the object from the CONFIGURATION tab and click on the Deploy action to deploy changes.

Behavior Change