Give Users Access to Security Monitoring Dashboards

Overview

You can use F5 NGINX Management Suite Security Monitoring to monitor NGINX App Protect WAF instances. The Security Monitoring analytics dashboards and security logs provide protection insights and help you analyze possible threats or identify opportunities to tune your security policies.

By completing the steps in this topic, you will create a role that gives users access to the Security Monitoring module and logs, and assign it to user accounts or groups.

Note:
The recommendations in this guide follow the principle of least privilege and do not grant users access to the Instance Manager module. You can create additional roles with custom modules, features, and permissions to suit your use case.

Before You Begin

Complete the following prerequisites before proceeding with this guide:

  • NGINX Management Suite Security Monitoring is installed and running.

  • Your user account needs to be able to access the User Management settings in NGINX Management Suite. The minimum required role permissions are:

    • Module: Settings
    • Feature: User Management
    • Access: READ, CREATE, UPDATE

  • Review the table below to determine the minimum permissions needed for your use case.

    Module(s) Feature(s) Access Description
    Instance Manager
    Security Monitoring    		 Analytics
    Security Monitoring    		 READ
    READ    		 Read-only access that allows users to view the Security Monitoring dashboards. Users cannot access Instance Manager or Settings.
    Instance Manager
    Security Monitoring
    Settings    		 Analytics
    Security Monitoring
    User Management    		 READ
    READ
    CREATE, READ, UPDATE    		 Allows users to view the Security Monitoring dashboards and manage user accounts and roles.

    Recommended for a “super-user” who is responsible for managing other users’ access to the security dashboards. This permission set does not allow the user to delete user accounts.

Create a Role

Roles in NGINX Instance Manager are a critical part of role-based access control (RBAC). By creating roles, you define the access levels and permissions for different user groups that correspond to groups in your Identity Provider (IdP).

NGINX Instance Manager comes pre-configured with an administrator role called admin. Additional roles can be created as needed.

The admin user or any user with CREATE permission for the User Management feature can create a role.

Follow these steps to create a role and set its permissions:

  1. In a web browser, go to the FQDN for your NGINX Instance Manager host and log in.

  2. Select the Settings (gear) icon in the upper-right corner.

  3. From the left navigation menu, select Roles.

  4. Select Create.

  5. On the Create Role form, provide the following details:

    • Name: The name to use for the role.
    • Display Name: An optional, user-friendly name to show for the role.
    • Description: An optional, brief description of the role.

  6. To add permissions:

    1. Select Add Permission.
    2. Choose the NGINX Instance Manager module you’re creating the permission for from the Module list.
    3. Select the feature you’re granting permission for from the Feature list. To learn more about features, refer to Get started with RBAC.
    4. Select Add Additional Access to choose a CRUD (Create, Read, Update, Delete) access level.
      • Choose the access level(s) you want to grant from the Access list.
    5. Select Save.

  7. Repeat step 6 if you need to add more permissions for other features.

  8. When you’ve added all the necessary permissions, select Save to create the role.

Example scenario

Suppose you need to create an “app-developer” role. This role allows users to create and edit applications but not delete them or perform administrative tasks. You would name the role app-developer, select the relevant features, and grant permissions that align with the application development process while restricting administrative functions.

Assign the Role

After you’ve created a role for Security Monitoring, assign the role to one or more users or to a user group.

Assign the Role to Users

To assign roles to a user in NGINX Instance Manager, follow these steps:

  1. In a web browser, go to the FQDN for your NGINX Instance Manager host and log in.
  2. Select the Settings gear icon in the upper-right corner.
  3. From the left navigation menu, select Users.
  4. Select a user from the list, then select Edit User.
  5. In the Roles list, choose the role(s) you want to assign to the user.
  6. Select Save.

Assign the Role to User Groups

User groups require an OIDC identity provider
User groups require an external identity provider configured for OpenID Connect (OIDC) authentication, as described in Getting started with OIDC. Users from an external identity provider cannot be assigned roles directly in NGINX Instance Manager. Instead, they inherit roles based on their group membership.

To assign roles to a user group, follow these steps:

  1. In a web browser, go to the FQDN for your NGINX Instance Manager host and log in.
  2. Select the Settings gear icon in the upper-right corner.
  3. From the left navigation menu, select User Groups.
  4. Select a user group from the list, then select Edit.
  5. In the Roles list, choose the role(s) you want to assign to the group.
  6. Select Save.
Last modified November 8, 2024