Overview
F5OS Superuser Access is an opt-in feature that allows WorldTech IT engineers to open a root shell on your F5OS devices through the Cloud.Red SSO console. It is available on a per device group basis and must be explicitly enabled by you.
When enabled, Cloud.Red provisions a WT-managed service account (wtit_ao_superuser) with the F5OS superuser role and enables the device-level superuser-bash-access flag. This allows a WT engineer to escalate to root (uid=0) via sudo over an SSO console session — without storing or exposing device root passwords.
Enabling Superuser Access modifies a device-wide F5OS system flag (superuser-bash-access). Review the Ramifications section before enabling.
Prerequisites
| Requirement | Details |
|---|
| Device platform | F5OS only — rSeries and VELOS. Not supported on BIG-IP or NGINX. |
| F5OS software version | F5OS-A ≥ 1.8.0 (the superuser role was introduced in this release). |
| Appliance mode | Must be disabled. Root shell access via bash is unavailable in appliance mode. |
| SSO enabled | The device group must have SSO enabled (default). |
Enabling Superuser Access
- From the left menu, select Device Groups.
- Click the actions icon next to the device group.
- Select Enable Superuser Access.
Cloud.Red will:
- Verify that all devices in the group meet the prerequisites above.
- Create the
wtit_ao_superuser account on the device with the F5OS superuser role.
- Enable the
superuser-bash-access flag on the device.
- Record the
Superuser subscription on the device group.
On success, the device group’s subscription status will reflect Superuser: Enabled.
Enable is an all-or-nothing operation per device group. If the device is unsupported (wrong version or appliance mode on), the request fails and no changes are applied.
Disabling Superuser Access
- From the left menu, select Device Groups.
- Click the actions icon next to the device group.
- Select Disable Superuser Access.
Cloud.Red will:
- Delete the
wtit_ao_superuser account from the device.
- Reset
superuser-bash-access back to the F5OS default (disabled).
- Remove the
Superuser subscription from the device group.
After disabling, WT engineers can no longer request a root shell for that device group.
Who Can Use Root
Only WorldTech IT engineers can open a root shell — customer users (including RA-admin) cannot. The following conditions must all be true at console-open time:
- The caller is a WT engineer (internal staff).
- The device group has the
Superuser subscription active.
- The device is an F5OS platform.
If any condition is not met, the root shell request is rejected (403 or 400).
Ramifications
Device-wide flag
superuser-bash-access is a system-wide F5OS setting. When enabled, any account with the F5OS superuser role on that device can reach a bash shell. Cloud.Red manages only one such account (wtit_ao_superuser) and that account is under WT’s sole control. Disabling the subscription deletes the account and resets the flag.
Managed account lifecycle
| Event | What happens |
|---|
| Enable | wtit_ao_superuser created; superuser-bash-access set to true |
| Nightly rotation | Superuser password rotated along with other WT-managed credentials |
| Disable | wtit_ao_superuser deleted; superuser-bash-access reset to false |
| Re-enable after disable | Account is re-created from scratch; a fresh credential is stored |
Audit logging
Every root console session is recorded in the session audit log, including the requesting user identity, device, and that a root shell was opened.
Frequently Asked Questions
Can I enable Superuser Access on BIG-IP device groups?
No. The F5OS superuser role does not exist on TMOS/BIG-IP. The request will be rejected.
What happens if a device in the group is upgraded to appliance mode after enabling?
The account and flag remain on the device, but WT engineers will no longer be able to use root (the console gate checks appliance mode at session open time). Disable the subscription before enabling appliance mode.
Does disabling Superuser Access affect any other users or accounts?
No. Only wtit_ao_superuser is removed. Customer RA accounts and other WT-managed accounts are unaffected.
What if the device is running F5OS older than 1.8.0?
The enable request will fail immediately. No changes are made to the device. Upgrade to F5OS-A ≥ 1.8.0 and retry.