Custom roles and API groups

Beyond the Default roles for NGINX One Console access, you can create custom roles with more precisely defined access permissions. You can assign custom roles to users or service accounts. You can associate these roles with specific namespaces, to help facilitate the principle of least privilege across your tenant. For this use-case, we include a list of API groups that you can use to specify permissions for custom roles with more granular access controls to NGINX One Console APIs.

F5 API groups for NGINX One

The following table lists the available API groups that you can use to construct a Role. These are narrowly scoped API groups that align with all the features and functionality within the NGINX One Console. These groups can help you create custom roles tailored to your specific needs.

If you create custom roles using these API groups, users may not have access to all capabilities of the browser web portal.
API Group Name Level of Access Description
f5xc-nginx-one-application-monitor Read View all features and data.
f5xc-nginx-one-application-settings Write View and update settings.
f5xc-nginx-one-application-write Write View and edit all features except settings.
f5xc-nginx-one-custom-all-instances-metric-read Read View metrics for all Instances. Required to see the Overview dashboard.
f5xc-nginx-one-custom-instance-list Read View list of all Instances. Also view summarized information such as certificate status and CVEs.
f5xc-nginx-one-custom-all-instances-manage Write View and delete all Instances.
f5xc-nginx-one-custom-instance-manage Write View and edit Instance details.
f5xc-nginx-one-custom-instance-read Read View Instance and configuration details.
f5xc-nginx-one-custom-certificate-manage Write View TLS/SSL certificate details. Create, update, and delete any managed certificates.
f5xc-nginx-one-custom-certificate-read Read View TLS/SSL certificates.
f5xc-nginx-one-custom-all-certificates-manage Write View all TLS/SSL certificates. Delete managed certificates.
f5xc-nginx-one-custom-data-plane-key-manage Write View, create, update, and delete any Data Plane Keys. Note: The actual Data Plane Key is shown only when created.
f5xc-nginx-one-custom-data-plane-key-read Read View Data Plane Key Details. Note: The actual Data Plane Key is shown only when created.
f5xc-nginx-one-custom-all-data-plane-keys-manage Write View and delete Data Plane Keys.
f5xc-nginx-one-custom-cve-read Read View NGINX CVEs.
f5xc-nginx-one-custom-config-sync-group-manage Write View, create, update, and delete Config Sync Groups.
f5xc-nginx-one-custom-config-sync-group-read Read View Config Sync Groups with details.
f5xc-nginx-one-custom-all-config-sync-groups-manage Write View and delete Config Sync Groups.
f5xc-nginx-one-custom-settings-manage Write View and update NGINX One Console Settings.
f5xc-nginx-one-custom-settings-read Read View NGINX One Console Settings.
f5xc-nginx-one-custom-event-read Read View NGINX One Events.
f5xc-nginx-one-custom-ai-assistant Write Interact with the NGINX One AI Assistant.
f5xc-nginx-one-custom-staged-config-manage Write View, create, update, and delete Staged Configs.
f5xc-nginx-one-custom-staged-config-read Read View Staged Configs.

Last modified March 14, 2025