You can assign permissions to admin roles which you then assign to admin groups, or you can assign permissions directly to an admin group. The following are permissions you can grant admin groups and roles:
...
By default, the superuser group (admin-group) has full access to all resources on the appliance. Superusers can create limited-access admin groups and grant them permissions to resources at the global and object levels.
Limited-access admin groups must have either read-only or read/write permissions assigned in order to view information or perform tasks on any supported objects.
When you assign permissions at the global level, the permissions apply to all objects that belong to the specified resource. For example, when you define a read/write permission to all DHCP networks, the permission applies to all DHCP ranges and fixed addresses in the networks. For information about global permissions, see Defining Global Permissions below.
You can also define permissions at a more granular level, such as for a specific Grid member, DNS zone, Response Policy Zone, network, and even an individual database object, such as a resource record or fixed address. When you define a permission at the object level, admins with this permission can only manage the specified object and its associated objects. For information about object permissions, see Defining Object Permissions below.
You can use global and object permissions to restrict admins to specific DNS and DHCP resources on specific Grid members by assigning the appropriate permissions. You can use this feature to separate DNS and DHCP administration on selected Grid members. For more information, see Defining DNS and DHCP Permissions on Grid Members below.
You can configure global permissions, object permissions, and member DNS and DHCP permissions for default and custom admin groups and roles. You cannot however define permissions for the factory default roles, such as DHCP Admin.
The appliance supports the following permissions:
Permissions | Description |
---|---|
Grid permissions | Includes Grid DNS properties, Grid DHCP properties, all Grid members, Microsoft servers that are managed by the Grid, network discovery, task scheduling, CSV imports, and all dashboard tasks. |
IPAM permissions | Includes network views, IPv4 and IPv6 networks, and host records. |
DHCP permissions | Includes Grid DHCP properties, network views, IPv4 networks, host records, DHCP ranges, DHCP fixed addresses/reservations, DHCP enabled host addresses, Mac filters, shared networks, DHCP templates, lease history, and roaming hosts. |
DNS permissions | Includes Grid DNS properties, DNS views, DNS zones, Response Policy Zones, host records, bulk hosts, all DNS resource records, all shared records, and adding a blank A/AAAA record. |
File distribution permissions | Includes Grid-level file distribution properties. |
Reporting permissions | Includes Grid-level reporting properties. |
Administration permissions | Includes all certificate authentication services, CA certificates and object change tracking. |
GLB (Global Load Balancer) permissions | Includes all NIOS managed GLB objects. |
DHCP fingerprint permissions | Includes all DHCP fingerprint related objects. |
Named ACL permissions | Includes all named ACLs (access control lists). |
Cloud permissions | Includes all tenant objects. |
Super Host Permissions | Includes all super host objects. |
NIOS applies permissions hierarchically in a parent-child structure. When you define permissions for a resource, all objects within that resource inherit the same permissions. For example, when you grant an admin group read/write permission for a network, the admin group automatically has read/write permission for objects in that network. To override permissions set at a higher level, you define permissions at a more specific level. For example, you can override the read/write network-level permission by setting read-only or deny permission for a fixed address or a DHCP-enabled host address. To define permissions for a more specific level, see the following:
- Permissions for common tasks, as described in Administrative Permissions for Common Tasks.
- Permissions for the Grid and Grid members, as described in Administrative Permission for the Grid.
- Permissions for IPAM resources, such as IPv6 networks, as described in Administrative Permissions for IPAM Resources.
- Permissions for DNS resources, such as DNS views and A records, as described in Administrative Permissions for DNS Resources.
- Permissions for DNS resource with associated IP addresses in networks and ranges, as described in Administrative Permissions for DNS Resources with Associated IP addresses in Networks and Ranges.
- Permissions for DHCP resources, such as network views and fixed addresses, as described in Administrative Permissions for DHCP Resources.
- Permissions for file distribution services, as described in Administrative Permissions for File Distribution Services.
- Permissions for certificate authentication services and CA certificates, as described in Administrative Permissions for Certificate Authentication Services and CA Certificates.
- Permissions for object change tracking, as described in Administrative Permissions for Object Change Tracking
- Permissions for GLB and GLB objects, as described in Administrative Permissions for Load Balancers.
- Permissions for Cloud objects, as described in Administrative Permissions for Cloud Objects.
When you set permissions that overlap with existing permissions, Grid Manager displays a warning about the overlaps. You can view detailed information and find out which permissions the appliance uses and which ones it ignores. For information, see Applying Permissions and Managing Overlaps below.
Defining Global Permissions
...
Permissions (Read/Write, Read-Only, or Deny) | ||
---|---|---|
Administration Permissions | All Certificate Authentication Services | For more information, see Administrative Permissions for Certificate Authentication Services and CA Certificates. |
All CA Certificates | ||
Object Change Tracking | For more information, see Administrative Permissions for Object Change Tracking. | |
Cloud Permissions | All Tenants | For more information, see Administrative Permissions for Cloud Objects. |
Named ACL Permissions | Named ACL | For more information, see Administrative Permissions for Named ACLs. |
DHCP Permissions | Grid DHCP Properties | For more information, see Administrative Permissions for Common Tasks. |
All Network Views | For more information, see see Administrative Permissions for Network ViewsDHCP Resources. | |
All IPV4/IPv6 Networks | For more information, see Administrative Permissions for IPv4 and IPv6 Networks and Shared Networks. | |
All Hosts | For more information, see see Administrative Permissions for HostsIPAM Resources. | |
All DHCP Fingerprints | For more information, see Administrative Permissions. | |
All DHCP MAC Filters | For more information , see see Administrative Permissions for MAC Address FiltersDHCP Resources. | |
All IPv4/IPv6 DHCP Fixed Addresses/Reservations | For more information, see Administrative Permissions for IPv4 or IPv6 Fixed Addresses and IPv4 Reservations. | |
All IPv4/IPv6 Host Addresses | For more information, see Administrative Permissions for DHCP Resources. | |
All IPv4/IPv6 Ranges | For more information, see Administrative Permissions for IPv4 and IPv6 DHCP Ranges. | |
All IPv4/IPv6 Shared Networks | For more information, see Administrative Permissions for IPv4 and IPv6 Networks and Shared Networks. | |
All IPv4/IPv6 DHCP Templates | For more information, see Administrative Permissions for IPv4 or IPv6 DHCP Templates. | |
All Microsoft Superscopes | For more information, see Administrative Permissions for IPv4 or IPv6 DHCP Templates. | |
All Roaming Hosts | For more information, see Administrative Permissions for Roaming Hosts. | |
DHCP IPv4/IPv6 Lease History | For more information, see Administrative Permissions for the IPv4 and IPv6 DHCP Lease Histories. | |
DNS Permissions Grid | DNS Properties | For more information, see Administrative Permissions for Common Tasks. |
All DNS Views | For more information, see Administrative Permissions for Common Tasks. | |
All DNS Zones | For more information, see Administrative Permissions for Common Tasks. | |
All Hosts | For more information, see Administrative Permissions for Hosts. | |
All IPV4/IPV6 Host Addresses | For more information, see Administrative Permissions for DNS Resources with Associated IP addresses in Networks and Ranges. | |
All Resource Records (A, AAAA, CAA, CNAME, DNAME, NAPTR, MX, PTR, SRV, TXT, TLSA and Bulkhost) | For more information, see Administrative Permissions for Common Tasks. | |
All Shared Record Groups | For more information, see Administrative Permissions for Shared Record Groups. | |
All Shared Records (A, AAAA, MX, SRV and TXT) | For more information, see Administrative Permissions for Common Tasks. | |
All Rulesets (BLACK List Rulesets and NXDOMAIN Rulesets) | For more information, see Administrative Permissions for DHCP Resources. | |
All DNS64 Synthesis Groups | For more information, see Administrative Permissions for DNS64 Synthesis Groups. | |
All Response Policy Zones | For more information, see Administrative Permissions for Zonesand License Requirements and Admin Permissions. | |
All Response Policy Rules | For more information, see Administrative Permissions for Zonesand License Requirements and Admin Permissions. | |
All DTC Objects (LBDN Records, LBDNs, Pools, Servers, Monitors, Certificates, GeoIP and Topologies) | For more information, see Administrative Permissions forZonesZonesand License Requirements and Admin Permissions. | |
Adding a blank A/AAAA record | For more information, see Administrative Permissions for Common Tasks. | |
File Distribution Permissions | Grid File Distribution Permissions | For more information, see Administrative Permissions for File Distribution Services. |
Grid Permissions | All Members | For more information, see Administrative Permissions for Common Tasks. |
Network Discovery | For more information, see Administrative Permissions for Discovery. | |
Schedule Tasks | For more information, see Administrative Permissions for Scheduling Tasks. | |
CSV Import | For more information, see Administrative Permissions for Named ACLs. | |
All Microsoft Servers | For more information, see Administrative Permissions for Microsoft Servers. | |
All Dashboard Tasks | For more information, see Administrative Permissions for Dashboard Tasks. | |
All Kerberos keys | For more information, see Configuring GSS-TSIG keys. | |
All Active Directory Domains | For more information, see Managing Active Directory Sites. | |
IPAM Permissions | All Network Views | For more information, see Administrative Permissions for Common Tasks. |
All IPv4 Networks | For more information, see Administrative Permissions for IPv4 and IPv6 Networks and Shared Networks. | |
All IPv6 Networks | For more information, see Administrative Permissions for IPv4 and IPv6 Networks and Shared Networks. | |
All Hosts | For more information, see Administrative Permissions for Hosts. | |
All IPv4 Host Addresses | For more information, see Administrative Permissions for DNS Resources with Associated IP addresses in Networks and Ranges. | |
All IPv6 Host Addresses | For more information, see Administrative Permissions for DNS Resources with Associated IP addresses in Networks and Ranges. | |
Port Control | For more information, see Administrative Permissions for Discovery. | |
SAML Permissions | SAML Authentication Services | For more information, see Administrative Permissions for SAML. |
Super Host Permissions | Super Host Permissions | For more information, see About Administrative Permissions for Super Hosts. |
Security Permissions | Grid Security Permissions | For more information, see Administrative Permissions. |
Reporting Permissions | Grid Reporting Permissions | For more information, see Administrative Permissions for Common Tasks. |
Reporting Dashboard | For more information, see Administrative Permissions for Reporting. | |
Reporting Search | For more information, see Administrative Permissions for Reporting. | |
VLAN Permissions | VLAN views, VLAN ranges, and VLAN objects | For more information, see Administrative Permissions for VLAN Management. |
Defining Object Permissions
You can add permissions to specific objects for selected admin groups or roles. When you add permissions to objects, you can select multiple objects with the same or different object types. When you select multiple objects with the same object type, you can apply permissions to the selected objects as well as the sub object types that are contained in the selected objects. As described in the below figure Selecting Multiple Objects with the Same Object Type, when you select five DNS forward-mapping authoritative zones, the appliance displays the object type "AuthZone" for all the zones. Since all five DNS zones are of the same object type, you can also apply permissions to all the resource records in these zones. The appliance displays the resources in the resource section of the Create Object Permissions editor. You can choose one or more of the resources to which you want to apply permissions.
In Cloud Network Automation, admin groups and admin users who have cloud API access have full permissions to delegated. However, you must specifically assign permissions for objects that have not been delegated in order for any admin groups or admin users to gain permission to these objects. Therefore, an admin group that has access to the cloud API would have full permissions to all delegated objects but limited permissions to non-delegated objects.
For information about how to allow cloud API access to an admin group, see Creating Limited-Access Admin Groups Groups. For information about guidelines for authority delegation, see About Authority Delegation.
Selecting Multiple Objects with the Same Object Type
...
When you select multiple objects with more than one object type, you can add permissions to the selected objects as well as to the sub object types that are common among the selected objects. For example, when you select three DNS forward-mapping authoritative zones and two DNS IPv4 reverse-mapping authoritative zones as illustrated in the below figure Multiple Objects with Common Sub Object Types, you can apply permissions to all the five DNS zones as well as to the CNAME, DNAME, and host records in these zones because CNAME, DNAME, and host records are the common sub object types in these zones.
Multiple Objects with Common Sub Object Types
When you select three DNS forward-mapping authoritative zones and two IPv4 reverse-mapping authoritative zones, you can apply object permissions to all the DNS zones as well as the CNAME, DNAME and Host records in these DNS zones.
...
Grid Manager displays a warning message when the permissions you define here overlap with other permissions in the system. Click See Conflicts to view the overlapping permissions in the Permissions Conflict dialog box. For information, see Applying Permissions and Managing Overlaps below.
You can also set permissions for specific objects from the objects themselves. For example, to define permissions for a particular Grid member, navigate to that Grid member and define its permissions.
To define the permissions of a specific object:
...
To specify member DNS and DHCP permissions, define DNS or DHCP permissions at the global or object level for an admin group or admin role, as described in Defining Global Permissions and Defining Object Permissions above. Ensure that you include the Grid member object to which you want to restrict DNS or DHCP administration. You can assign valid permissions to administrators to manage kerberos keys. For more information, see Configuring GSS-TSIG keys.
You can also control whether the admins can modify DNS or DHCP properties on a member, as described in Modifying Permissions on a Grid Member below.
Modifying Permissions on a Grid Member
...
You can check for overlapped permissions when you add permissions to roles and to admin groups, and when you assign roles to an admin group. When you create a permission that overlaps with existing permissions, Grid Manager displays a warning message and the SeeConflicts link on which you click to view the overlapped permissions. For information, see Viewing Overlapping Permissions below. You can also use the quick filter Overlaps to filter overlapped permissions, the appliance lists permissions that overlap with other permissions. If you want to change the permission the appliance uses, you must change the order in which the roles are listed or change the permissions that are directly assigned to the admin group. For information , see about Creating Limited-Access Admin Groups, see About Admin Groups.
Viewing Overlapping Permissions
...
- View the permissions, as described in Viewing Permissionsbelow.
- Modify the permissions, as described in Modifying Permissions below.
- Delete the permission, as described in Deleting Permissions below.
Viewing Permissions
Only superusers can view the permissions of all admin groups.
To view the permissions of an admin group or role:
...