Add user access to Security Monitoring dashboards

Overview

F5 NGINX Security Monitoring tracks activity on NGINX App Protect WAF instances. The dashboards and logs show insights, detect threats, and help improve security policies.

This guide explains how to create a role to give users access to Security Monitoring and assign it to users or groups.

Note:
This guide follows the principle of least privilege, so users only get access to Security Monitoring. You can create roles with different permissions if needed.

Before you begin

Make sure you complete these steps:

  • Your account must have access to User Management in NGINX Instance Manager. Minimum permissions are:

    • Module: Settings
    • Feature: User Management
    • Access: READ, CREATE, UPDATE

  • Use the table below to find the permissions you need:

    Module(s) Feature(s) Access Description
    Instance Manager
    Security Monitoring    		 Analytics
    Security Monitoring    		 READ
    READ    		 Gives read-only access to Security Monitoring dashboards. Users cannot access NGINX Instance Manager or Settings.
    Instance Manager
    Security Monitoring
    Settings    		 Analytics
    Security Monitoring
    User Management    		 READ
    READ
    CREATEREADUPDATE    		 Lets users view dashboards and manage accounts and roles.

    Best for “super-users” who manage dashboard access. Does not allow deleting accounts.

Create a role

Roles in NGINX Instance Manager are a critical part of role-based access control (RBAC). By creating roles, you define the access levels and permissions for different user groups that correspond to groups in your Identity Provider (IdP).

NGINX Instance Manager comes pre-configured with an administrator role called admin. Additional roles can be created as needed.

The admin user or any user with CREATE permission for the User Management feature can create a role.

Follow these steps to create a role and set its permissions:

  1. In a web browser, go to the FQDN for your NGINX Instance Manager host and log in.

  2. Select the Settings (gear) icon in the upper-right corner.

  3. From the left navigation menu, select Roles.

  4. Select Create.

  5. On the Create Role form, provide the following details:

    • Name: The name to use for the role.
    • Display Name: An optional, user-friendly name to show for the role.
    • Description: An optional, brief description of the role.

  6. To add permissions:

    1. Select Add Permission.
    2. Choose the NGINX Instance Manager module you’re creating the permission for from the Module list.
    3. Select the feature you’re granting permission for from the Feature list. To learn more about features, refer to Get started with RBAC.
    4. Select Add Additional Access to choose a CRUD (Create, Read, Update, Delete) access level.
      • Choose the access level(s) you want to grant from the Access list.
    5. Select Save.

  7. Repeat step 6 if you need to add more permissions for other features.

  8. When you’ve added all the necessary permissions, select Save to create the role.

Example scenario

Suppose you need to create an “app-developer” role. This role allows users to create and edit applications but not delete them or perform administrative tasks. You would name the role app-developer, select the relevant features, and grant permissions that align with the application development process while restricting administrative functions.

Assign the role

Assign the Security Monitoring role to users or groups.

Assign the role to users

To assign roles to a user in NGINX Instance Manager, follow these steps:

  1. In a web browser, go to the FQDN for your NGINX Instance Manager host and log in.
  2. Select the Settings gear icon in the upper-right corner.
  3. From the left navigation menu, select Users.
  4. Select a user from the list, then select Edit User.
  5. In the Roles list, choose the role(s) you want to assign to the user.
  6. Select Save.

Assign the role to user groups

User groups require an OIDC identity provider
User groups require an external identity provider configured for OpenID Connect (OIDC) authentication, as described in Getting started with OIDC. Users from an external identity provider cannot be assigned roles directly in NGINX Instance Manager. Instead, they inherit roles based on their group membership.

To assign roles to a user group, follow these steps:

  1. In a web browser, go to the FQDN for your NGINX Instance Manager host and log in.
  2. Select the Settings gear icon in the upper-right corner.
  3. From the left navigation menu, select User Groups.
  4. Select a user group from the list, then select Edit.
  5. In the Roles list, choose the role(s) you want to assign to the group.
  6. Select Save.
Last modified February 6, 2025