Last Modified: Feb 29, 2024
Affected Product(s):
BIG-IQ System User Interface
Known Affected Versions:
5.4.0, 6.0.1, 6.0.1.1, 6.0.1.2, 6.1.0, 7.0.0, 7.1.0, 7.1.0.1, 7.1.0.2, 7.1.0.3, 7.1.6, 7.1.6.1, 7.1.7, 7.1.7.1, 7.1.7.2, 7.1.8, 7.1.8.1, 7.1.8.2, 7.1.8.3, 7.1.8.4, 7.1.8.5, 7.1.9, 7.1.9.7, 7.1.9.8, 7.1.9.9
Fixed In:
7.0.0.1
Opened: Oct 25, 2019 Severity: 3-Major
Users assigned to custom roles cannot deploy objects to BIG-IP devices if the custom role was created from the BIG-IQ Roles screen.
Users assigned to custom roles cannot deploy objects to BIG-IP devices.
A custom role (BIG-IQ version 5.4) or custom service role (BIG-IQ version 6.0 and later) created from the BIG-IQ Roles screen.
To resolve this issue: 1. From the command line, run the following commands, and then assign the Resource Groups to the custom role you need for the user to deploy specific objects for a service (for example, an ASM policy). # restcurl -X POST /shared/authorization/patch-resource-groups -d '{"resourceGroupName":"Relevant Devices Resource Group","resourceGroupDisplayName":"Relevant Devices Resource Group" ,"resourceGroupDescription":"Resource group containing relevant devices API for use with deployment","referenceExpressionsPatches":[{"targetKind":"cm:global:utility:device-association:deviceassociationstate" ,"referenceExpressions":[{"expression":"/cm/global/utility/device-association"}]}]}' # restcurl -X POST /shared/authorization/patch-resource-groups -d '{"resourceGroupName":"Deploy Configuration Resource Group" ,"resourceGroupDisplayName":"Deploy Configuration Resource Group","resourceGroupDescription":"Resource group containing relevant deploy API for use with deployment" ,"referenceExpressionsPatches":[{"targetKind":"cm:adc-core:tasks:deploy-configuration:deployconfigtaskstate","referenceExpressions":[{"expression":"/cm/adc-core/tasks/deploy-configuration/*"}]}]}' 2. Login as admin. 3. Create a new user, such as 'Exampleuser'. 4. Create a new resource group and add some objects to it, for example: Add POLICIES: WEB APPLICATION SECURITY. 5. Create a new custom service role. a. Add role type, for example 'Web App Security Manager'. b. Set role mode, Strict. c. Add the resource group created in step 1 and 2, as resource groups (in 7.1, skip step 1 and add the Resource Group Deployer). d. Assign user 'Exampleuser' the custom service role. 6. Login as 'Exampleuser', in order to deploy changes, select the object from the CONFIGURATION tab and click on the Deploy action to deploy changes. Note: After creating the Deployment for your selected BIG-IP device(s), you might not be able to see the differences between BIG-IQ and BIG-IP, this is the known issue to be worked on in the future. 7. To access to the history of the deployments, that user must manually navigate to the following URL: https://<big-iq ip>/ui/deployment.
To enable the users assigned to custom roles to deploy objects to BIG-IP devices, add the built-in resource group "Resource Group Deployer" in addition to other resource groups user wants access to. The workflow will be: 1. Login as admin. 2. Create a new user, such as 'Exampleuser'. 3. Create a new resource group and add some objects to it, for example: Add POLICIES: WEB APPLICATION SECURITY. 4. Create a new custom service role. a. Add role type, for example 'Web App Security Manager'. b. Set role mode, Strict. c. Add the resource group created in step 3. In addition, add the built-in RG "Resource Group Deployer" to the resource groups. d. Assign user 'Exampleuser' the custom service role. 5. Login as 'Exampleuser', in order to deploy changes, select the object from the CONFIGURATION tab and click on the Deploy action to deploy changes.