User access to limited irules.

Question

I want to ask about limiting user access/configure on f5.
At the moment we are planning to create a user with limited access to irules only.
But the problem is at the moment all the configuration in irules is located on common partition.
Is it possible we create a new user with name “A” as a irule manager and  can only config “A” partition?
If yes, can you help us how to create a new partition and move the existing irule config to new partition&nbsp;

nathe · Answer

Yes, you can create a new partition called A and create a new user with role iRule Manager and just select this A partition.&nbsp;
As for moving the existing iRule configuration. If you are pre TMOS 11.6 then the only way around this is to delete the iRule and recreate in the new partition or edit the bigip.conf file via SSH. If you've 11.6 then there's a new feature to move objects. See 11.6 release notes and the section "Object move and rename". I've not used this feature myself so I'd test first.&nbsp;
Hope this helps,&nbsp;
N&nbsp;

aiyappa_136133 · Answer

Hi Nathan,&nbsp;
Thanks for your help.&nbsp;
Cheers!&nbsp;

nathe · Answer

No probs

aiyappa_136133 · Answer

Hi Nathan,&nbsp;
Also this is what my requirement is. Do you have any comments ?.&nbsp;
Assume I create an irule list(located on common par) where will call the datagroup list (located on different partition).
Is it possible?
If yes, does the syntax also the same?
Here is some syntax irule we use
when CLIENT_ACCEPTED {
if { [class match [IP::client_addr] equals userA] } {
   snatpool snat-userA
   return
elseif { [class match [IP::client_addr] equals userB] } {
   snatpool snat-userB
   return
  }
  else {
   snatpool snat-userdefault
  }
}&nbsp;
Where we assume 
usera and snat-userA will located on partition a
userb and snat-userB will located on partition b
while snat-userdefault and the irule will located on common partition&nbsp;

aiyappa_136133 · Answer

Hi Nathan,&nbsp;
Also this is what my requirement is. Do you have any comments ?.&nbsp;
Assume I create an irule list(located on common par) where will call the datagroup list (located on different partition).
Is it possible?
If yes, does the syntax also the same?
Here is some syntax irule we use
when CLIENT_ACCEPTED {
if { [class match [IP::client_addr] equals userA] } {
   snatpool snat-userA
   return
elseif { [class match [IP::client_addr] equals userB] } {
   snatpool snat-userB
   return
  }
  else {
   snatpool snat-userdefault
  }
}&nbsp;
Where we assume 
usera and snat-userA will located on partition a
userb and snat-userB will located on partition b
while snat-userdefault and the irule will located on common partition&nbsp;

Forum Discussion

User access to limited irules.

7 Replies

Recent Discussions

Web acceleration

What are the different phases in DevOps?

Create a CSR and Key using the BigIP LTM GUI when renewing a certificate

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Related Content

65,000 character limit in irule and URI redirects

question of limitation and expiration for rest api token

How to access an LTM Policy variable from an iRule ?

Is "ACCESS::session remove" an asynchronous iRule command?

RDP Sessions exceeding limit through F5.