Hi Craig,
I think that's a very well explained post. Thanks for taking the time to give constructive feedback.
I've heard of a few features coming that may improve your situation like folder level config synching. I haven't heard of anything for a few of your issues (though I definitely don't see everything that everyone is working on).
I'd encourage you to open a case with F5 Support and submit these issues with proposed improvements as Requests For Enhancements. Support will be able to tell you if there are already existing RFEs. You can then talk with your F5 or partner account team (or your "provider") to get status on upcoming features. If any of this process gets stuck, feel free to email me and I'll try to check on this (aaron at f5 dot com).
- the inability to sync changes on our partition (we have to get the provider to do it via their support desk)
>> We should have folder level config sync coming in a future version. I can't say exactly when, but this is a highly requested feature for multi-tenancy.
- the inability to access the ltm log because there are no partition specifc ltm logs. (I know we can setup a syslog serv and you can use the log statement to log messages to it, but it won't trap tcl and other error types)
>> Your provider should be able to set up a syslog server (or a chain of them to sort only your tenant logs). They might need to require you to use a custom format or token in your iRule log statements to sort these per tenant.
- no shell access because it's not restricted to your partition
>> The only practical solution I see for this is an RFE to give tmsh access with non-admin access to only your admin partition. Or use vCMP with admin CLI access enabled.
- cannot install/create SSL certificates, we have to send them to the provider who will then install them.
>> Your provider could potentially give you iControl or tmsh based tools which allow you to install certs.
- cannot backup our config
>> Your provider could potentially give you iControl or tmsh based tools which allow you to back up the full config. They could add business logic to the tool . Or they could do an automatically scheduled backup every N hours or days.
On a related tangent, right now, the most complete technical solution we offer for allowing service providers to give their tenants admin access to BIG-IP is vCMP. With vCMP the tenant can have full admin rights to the guest instance and restrict the ability to affect other guests.
Thanks, Aaron