Working on creating users from tmsh.  I would like to have a script to output a csv that shows last time logged in for each user, what privilege they have, etc.  I suppose it would be nice to maintain a list of users that have access to my F5 appliances

tmsh create auth user `Username` password `Pass` partition-access all role admin shell bash

Roles:

• acceleration-policy-editor
• auditor
• guest (This role grants users permission to view all objects on the system and change their own passwords.)
• no-access (This role prevents users from accessing the system.)
• user-manager (

  Users with the User Manager role that have access to all partitions can create, modify, delete, and view all user accounts except those that are assigned the Administrator role, or the User Manager role with different partition access. Accounts with the User Manager role that have access to all partitions can also change their own passwords.

  Users with the User Manager role that have access only to a single partition can create, modify, delete, and view only those user accounts that are in that partition and that have access to that partition only. For example, if your user account has a User Manager role and has access to Partition A only, then you can manage only those user accounts that both reside in and have access to Partition A only.

  User accounts with the User Manager role can change their own passwords.

• admin (partitioned objects on the system. In addition, accounts with the Administrator role can perform configuration synchronization on a redundant system. These users can use the bigpipe load and bigpipe save commands and change their own passwords)
• certificate-manager
• irule-manager
• operator (This role grants users permission to enable or disable nodes and pool members. These users can view all objects and change their own passwords.
• web-application-security-administrator
• application-editor (This role grants users permission to modify nodes, pools, pool members, and monitors. These users can view all objects on the system and change their own passwords.)
• firewall-manager
• manager (

  This role grants users permission to create, modify, and delete virtual servers, pools, pool members, nodes, custom profiles, custom monitors, and iRules®. These users can view all objects on the system and change their own passwords.

  It is important to note that a user with the Manager role has permission to use the bigpipe shell to create, modify, or delete objects. However, such users are not allowed to use the bigpipe save command to save their changes. Therefore, when managing objects on the BIG-IP system, users with the Manager role should either use the Configuration utility, or ask a user with the Administrator role to save the changes using the bigpipe save command.

• resource-admin (This role grants users complete access to all partitioned and non-partitioned objects on the system, except user account objects. These users can perform configuration synchronization on a redundant system. These users can also use the bigpipe load and save commands and change their own passwords. Note that when this user is managing BIG-IP Application Security Manager objects specifically, the BIG-IP system changes the role to Guest .)
• web-application-security-editor (This role grants users complete access to Application Security Manager security policy objects. These users can also view all other objects and change their own passwords. With respect to security policy objects, this role is equivalent to the Administrator role. You can assign this role only when the BIG-IP system includes the Application Security Manager component.)

 

Another method is

curl -sk -u 'admin:admin' -H "Content-Type: application/json" -X POST https://x.x.x.x/mgmt/tm/auth/user -d '{"name":"newuser","password":"newuserpass","role":"admin","partition-access":"all","shell":"bash"}'

You can get a list of users by entering

tmsh list auth user all

 

To find what F5 user is logged in currently from cli you can type

cat /var/log/audit | grep user=