Certificate Admin Role - UI

This guide walks through creating a custom RBAC role using the F5 Distributed Cloud Console UI. The role grants access to manage SSL/TLS certificates and certificate chains used by HTTP Load Balancers. For the programmatic (API) approach, see the API guide.

How F5 XC RBAC Works

F5 XC uses a three-tier permission model:

api_group_element  (read-only, system-defined)
       │
       ▼
   api_group       (read-only, system-defined)
       │
       ▼
     role           (full CRUD — this is what you create)

1. api_group_element — Defines a regex path and HTTP methods (e.g., POST /api/config/.*/certificates). System-managed; you cannot create, modify, or delete these.

2. api_group — A named collection of api_group_element references, organized by functional area. System-managed; you cannot create, modify, or delete these. Groups use naming conventions like ves-io-proxy-read or f5xc-waap-standard-admin.

3. role — References api_group names in an array. This is the only tier you create. Use the custom role endpoints to attach specific api_groups to a role.

By selecting the proxy read/write groups, the example-cert-admin role grants SSL/TLS certificate management as part of broader proxy resource access.

Scope and Limitations

Selecting the proxy read/write groups grants access to all proxy resources in the assigned namespace — HTTP Load Balancers, origins, routes, and certificates alike. There is no way to restrict the role to certificates only.

F5 XC does not support user-created api_group or api_group_element objects. The platform pre-defines these as read-only, and roles can only reference existing group names. No system-defined group is scoped exclusively to certificate operations.

Mitigation — namespace isolation: Place certificate resources in a dedicated namespace and scope the example-cert-admin role to that namespace. This prevents the user from accessing proxy resources in other namespaces while still granting full certificate management within the isolated namespace.

Prerequisites

• Admin access to the F5 Distributed Cloud Console

Step 1: Navigate to Role Management

1. Log in to the F5 Distributed Cloud Console
2. Click the Administration tile on the home page
3. In the left navigation menu, select IAM > Roles
4. Click + Add Role

Step 2: Name the Role

Enter example-cert-admin in the Role Name field.

Role naming rules:

• Lowercase letters, numbers, and hyphens only
• Must start with two lowercase letters
• Maximum 64 characters

Step 3: Add Proxy API Groups

Certificate permissions are part of the proxy functional area. Add the following API groups to grant certificate management access:

1. Click + Allowed API Groups
2. In the search/filter field, type ves-io-proxy
3. Select the following API groups:

API Group	Grants
ves-io-proxy-read	Read access to proxy resources including certificates
ves-io-proxy-write	Write access to proxy resources including certificates

4. Click Save to confirm the selected API groups

Note

These groups cover all proxy-related resources (HTTP Load Balancers, origins, routes, certificates, certificate chains, etc.), not just certificates. F5 XC organizes permissions by functional area, not by individual resource type.

Step 4: Save the Role

Review the selected API groups in the summary, then click Save to create the role.

Step 5: Verify the Role

1. Navigate to IAM > Roles
2. Click example-cert-admin in the role list
3. Confirm both API groups are listed

References

• Manage Roles — F5 XC Docs
• RBAC Concepts — F5 XC Docs
• Programmatic Guide (API)