Page Comparison

You can assign permissions to admin roles which you then assign to admin groups, or you can assign permissions directly to an admin group. The following are permissions you can grant admin groups and roles:

...

NIOS applies permissions hierarchically in a parent-child structure. When you define permissions for a resource, all objects within that resource inherit the same permissions. For example, when you grant an admin group read/write permission for a network, the admin group automatically has read/write permission for objects in that network. To override permissions set at a higher level, you define permissions at a more specific level. For example, you can override the read/write network-level permission by setting read-only or deny permission for a fixed address or a DHCP-enabled host address. To define permissions for a more specific level, see the following:

...

1. For an admin group: From the Administration tab, select the Administrators tab -> Permissions tab -> admin_group in the Groups table, and then click the Add icon -> Global Permissions from the Create New Permission area or select Add -> Global Permissions from the Toolbar.
   or
   For an admin role: From the Administration tab, select the Administrators tab -> Permissions tab -> admin_role in the Roles table, and then click Add icon -> Global Permissions from the Create New Permission area or select Add -> Global Permissions from the Toolbar.
2. Grid Manager displays the Manage Global Permissions editor. For an admin group, the appliance displays the selected admin group in the Group Permission field. For an admin role, the appliance displays the selected admin role in the Role Permission field. You can also select a different group or role from the drop-down list.
3. Select the resources that you want to configure from the Permission Type drop-down list. Depending on your selection, Grid Manager displays the corresponding resources for the selected permission type in the table.
4. Select Read/Write, Read-Only, or Deny for the resources you want to configure. By default, the appliance denies access to resources if you do not specifically configure them.
5. Optionally, select additional resources from the Permission Type drop-down list. Grid Manager appends the new resources to the ones that you have already configured. Define the permissions for the resources you select.
6. Save the configuration and click Restart if it appears at the top of the screen.

The table belowThe table below lists global permissions you can assign to admin groups or admin roles:

 Global Permissions

Defining Object Permissions

You can add permissions to specific objects for selected admin groups or roles. When you add permissions to objects, you can select multiple objects with the same or different object types. When you select multiple objects with the same object type, you can apply permissions to the selected objects as well as the sub object types that are contained in the selected objects. As described in the below figure Selecting Multiple Objects with the Same Object Type, when you select five DNS forward-mapping authoritative zones, the appliance displays the object type "AuthZone" for all the zones. Since all five DNS zones are of the same object type, you can also apply permissions to all the resource records in these zones. The appliance displays the resources in the resource section of the Create Object Permissions editor. You can choose one or more of the resources to which you want to apply permissions.
In Cloud Network Automation, admin groups and admin users who have cloud API access have full permissions to delegated. However, you must specifically assign permissions for objects that have not been delegated in order for any admin groups or admin users to gain permission to these objects. Therefore, an admin group that has access to the cloud API would have full permissions to all delegated objects but limited permissions to non-delegated objects.
For information about how to allow cloud API access to an admin group, see Creating Limited-Access Admin Groups. For information about guidelines for authority delegation, see About Authority Delegation.
 Selecting Multiple Objects with the Same Object Type

...

When you select multiple objects with more than one object type, you can add permissions to the selected objects as well as to the sub object types that are common among the selected objects. For example, when you select three DNS forward-mapping authoritative zones and two DNS IPv4 reverse-mapping authoritative zones as as illustrated in the figure below, you can apply permissions to all the five DNS zones as well as to the CNAME, DNAME, and host records in these zones because CNAME, DNAME, and host records are the common sub object types in these zones.

Multiple Objects with Common Sub Object Types
When you select three DNS forward-mapping authoritative zones and two IPv4 reverse-mapping authoritative zones, you can apply object permissions to all the DNS zones as well as the CNAME, DNAME and Host records in these DNS zones.

...

Admins can perform different tasks on a Grid member based on the permissions they have. The following table outlines the permissions and the tasks admins can perform on a Grid member:
Table 4.3  Member Permissions and Tasks

After you add permissions to an admin group or role for a specific Grid member, you can modify the member permissions and resources. Note that when you modify the member permissions and resources, the appliance updates the permissions of the admin group or role accordingly.
To modify Grid member permissions:

...

For example, an admin from the DNS1 admin group tries to access the a1.test.com A record in the test.com zone in the Infoblox default view. The appliance first checks if the DNS1 admin group has a permission defined for the a1.test.com A record. If there is none, then the appliance checks the roles assigned to DNS1. If there is no permission defined for the a1.test.com A record, the appliance continues checking for permissions in the order listed in the Permission Checking table. The appliance uses the first permission it finds.
 Permission Checking

An admin group that is assigned multiple roles and permissions can have overlaps among the different permissions. As stated earlier, the appliance uses the first permission it finds and ignores the others. For example, as shown in the table Directly-Assigned Permissions and Roles below, if an admin group has read/write permission to all A records in the test.com zone and a role assigned to it is denied permission to test.com, the appliance provides read/write access to A records in the test.com zone, but denies access to the test.com zone and all its other resource records.

Table 4.5Directly-Assigned Permissions and Roles

If the group has multiple roles, the appliance applies the permissions in the order the roles are listed. If there are overlaps in the permissions among the roles, the appliance uses the permission from the role that is listed first. For example, as shown in as shown in the Multiple Roles table, the first role assigned to the admin group has read-only permission to all A records in the test.com zone and the second role has read/write permission to the same records. The appliance applies the permission from the first admin role.

Multiple Roles

You can check for overlapped permissions when you add permissions to roles and to admin groups, and when you assign roles to an admin group. When you create a permission that overlaps with existing permissions, Grid Manager displays a warning message and the SeeConflicts link on which you click to view the overlapped permissions. For information, see Viewing Overlapping Permissions. You can also use the quick filter Overlaps to filter overlapped permissions, the appliance lists permissions that overlap with other permissions. If you want to change the permission the appliance uses, you must change the order in which the roles are listed or change the permissions that are directly assigned to the admin group. For information about Creating Limited-Access Admin Groups,

...

see About Admin Groups.

Viewing Overlapping Permissions

...