DELETE method with AS3 is too powerful !
Am I the only one totally freaking out about the fact that with AS3, you just have to send a DELETE method to mgmt/shared/appsvcs/declare and everything is gone ?? All your production system could be wiped off that easily ...
From my understanding it's mandatory to have the administrator privilege to use AS3, and administrators can access all the partitions ; so you cannot even create users that would be allowed to manage only specific partitions ... It's all or nothing.
In my opinion the least you should do is to get rid of this dangerous default behavior, and instead use the keyword "ALL" to remove all tenants ...
==========================
Extract from the doc :
Use DELETE to remove configurations for one or more declared Tenants from the target ADC. If you do not specify any Tenants, DELETE removes all of them, which is to say, it removes the entire declared configuration. Indicate the target device and Tenants to remove by appending elements to the main AS3 URL path (/mgmt/shared/appsvcs/declare). By default (just main URL) DELETE removes all Tenants from target localhost.
DELETE examples:
DELETE https://192.0.2.10/mgmt/shared/appsvcs/declare
removes all tenants
DELETE https://192.0.2.10/mgmt/shared/appsvcs/declare/T1,T2,T5
removes Tenants T1, T2, and T5 leaving the rest of the most recent declared configuration for localhost in place
==========================
Does anyone agree, or have a suggestion to add some security ?