You can assign permissions to admin roles which you then assign to admin groups, or you can assign permissions directly to an admin group. The following are permissions you can grant admin groups and roles:
...
Permissions | Description |
---|---|
Grid permissions | Includes Grid DNS properties, Grid DHCP properties, all Grid members, Microsoft servers that are managed by the Grid, network discovery, task scheduling, CSV imports, and all dashboard tasks. |
IPAM permissions | Includes network views, IPv4 and IPv6 networks, and host records. |
DHCP permissions | Includes Grid DHCP properties, network views, IPv4 networks, host records, DHCP ranges, DHCP fixed addresses/reservations, DHCP enabled host addresses, Mac filters, shared networks, DHCP templates, lease history, and roaming hosts. |
DNS permissions | Includes Grid DNS properties, DNS views, DNS zones, Response Policy Zones, host records, bulk hosts, all DNS resource records, all shared records, and adding a blank A/AAAA record. |
File distribution permissions | Includes Grid-level file distribution properties. |
Reporting permissions | Includes Grid-level reporting properties. |
Administration permissions | Includes all certificate authentication services, CA certificates and object change tracking. |
GLB (Global Load Balancer) permissions | Includes all NIOS managed GLB objects. |
DHCP fingerprint permissions | Includes all DHCP fingerprint related objects. |
Named ACL permissions | Includes all named ACLs (access control lists). |
Cloud permissions | Includes all tenant objects. |
Super Host Permissions | Includes all super host objects. |
NIOS applies permissions hierarchically in a parent-child structure. When you define permissions for a resource, all objects within that resource inherit the same permissions. For example, when you grant an admin group read/write permission for a network, the admin group automatically has read/write permission for objects in that network. To override permissions set at a higher level, you define permissions at a more specific level. For example, you can override the read/write network-level permission by setting read-only or deny permission for a fixed address or a DHCP-enabled host address. To define permissions for a more specific level, see the following:
...
- For an admin group: From the Administration tab, select the Administrators tab -> Permissions tab -> admin_group in the Groups table, and then click the Add icon -> Global Permissions from the Create New Permission area or select Add -> Global Permissions from the Toolbar.
or
For an admin role: From the Administration tab, select the Administrators tab -> Permissions tab -> admin_role in the Roles table, and then click Add icon -> Global Permissions from the Create New Permission area or select Add -> Global Permissions from the Toolbar. - Grid Manager displays the Manage Global Permissions editor. For an admin group, the appliance displays the selected admin group in the Group Permission field. For an admin role, the appliance displays the selected admin role in the Role Permission field. You can also select a different group or role from the drop-down list.
- Select the resources that you want to configure from the Permission Type drop-down list. Depending on your selection, Grid Manager displays the corresponding resources for the selected permission type in the table.
- Select Read/Write, Read-Only, or Deny for the resources you want to configure. By default, the appliance denies access to resources if you do not specifically configure them.
- Optionally, select additional resources from the Permission Type drop-down list. Grid Manager appends the new resources to the ones that you have already configured. Define the permissions for the resources you select.
- Save the configuration and click Restart if it appears at the top of the screen.
The table belowThe table below lists global permissions you can assign to admin groups or admin roles:
Global Permissions
Permissions (Read/Write, Read-Only, or Deny) | ||
---|---|---|
Administration Permissions | All Certificate Authentication Services | For more information, see Administrative Permissions for Certificate Authentication Services and CA Certificates. |
All CA Certificates | ||
Object Change Tracking | For more information, see Administrative Permissions for Object Change Tracking. | |
Cloud Permissions | All Tenants | For more information, see Administrative Permissions for Cloud Objects. |
Named ACL Permissions | Named ACL | For more information, see Administrative Permissions for Named ACLs. |
DHCP Permissions | Grid DHCP Properties | For more information, see Administrative Permissions for Common Tasks. |
All Network Views | For more information, see Administrative Permissions for Network Views. | |
All IPV4/IPv6 Networks | For more information, see Administrative Permissions for IPv4 and IPv6 Networks and Shared Networks. | |
All Hosts | For more information, see Administrative Permissions for Hosts. | |
All DHCP Fingerprints | For more information, see Administrative Permissions. | |
All DHCP MAC Filters | For more information, see Administrative Permissions for MAC Address Filters. | |
All IPv4/IPv6 DHCP Fixed Addresses/Reservations | For more information, see Administrative Permissions for IPv4 or IPv6 Fixed Addresses and IPv4 Reservations. | |
All IPv4/IPv6 Host Addresses | For more information, see Administrative Permissions for DHCP Resources. | |
All IPv4/IPv6 Ranges | For more information, see Administrative Permissions for IPv4 and IPv6 DHCP Ranges. | |
All IPv4/IPv6 Shared Networks | For more information, see Administrative Permissions for IPv4 and IPv6 Networks and Shared Networks. | |
All IPv4/IPv6 DHCP Templates | For more information, see Administrative Permissions for IPv4 or IPv6 DHCP Templates. | |
All Microsoft Superscopes | For more information, see Administrative Permissions for IPv4 or IPv6 DHCP Templates. | |
All Roaming Hosts | For more information, see Administrative Permissions for Roaming Hosts. | |
DHCP IPv4/IPv6 Lease History | For more information, see Administrative Permissions for the IPv4 and IPv6 DHCP Lease Histories. | |
DNS Permissions Grid | DNS Properties | For more information, see Administrative Permissions for Common Tasks. |
All DNS Views | For more information, see Administrative Permissions for Common Tasks. | |
All DNS Zones | For more information, see Administrative Permissions for Common Tasks. | |
All Hosts | For more information, see Administrative Permissions for Hosts. | |
All IPV4/IPV6 Host Addresses | For more information, see Administrative Permissions for DNS Resources with Associated IP addresses in Networks and Ranges. | |
All Resource Records (A, AAAA, CAA, CNAME, DNAME, NAPTR, MX, PTR, SRV, TXT, TLSA and Bulkhost) | For more information, see Administrative Permissions for Common Tasks. | |
All Shared Record Groups | For more information, see Administrative Permissions for Shared Record Groups. | |
All Shared Records (A, AAAA, MX, SRV and TXT) | For more information, see Administrative Permissions for Common Tasks. | |
All Rulesets (BLACK List Rulesets and NXDOMAIN Rulesets) | For more information, see Administrative Permissions for DHCP Resources. | |
All DNS64 Synthesis Groups | For more information, see Administrative Permissions for DNS64 Synthesis Groups. | |
All Response Policy Zones | For more information, see Administrative Permissions for Zonesand License Requirements and Admin Permissions. | |
All Response Policy Rules | For more information, see Administrative Permissions for Zonesand License Requirements and Admin Permissions. | |
All DTC Objects (LBDN Records, LBDNs, Pools, Servers, Monitors, Certificates, GeoIP and Topologies) | For more information, see Administrative Permissions for Zonesand License Requirements and Admin Permissions. | |
Adding a blank A/AAAA record | For more information, see Administrative Permissions for Common Tasks. | |
File Distribution Permissions | Grid File Distribution Permissions | For more information, see Administrative Permissions for File Distribution Services. |
Grid Permissions | All Members | For more information, see Administrative Permissions for Common Tasks. |
Network Discovery | For more information, see Administrative Permissions for Discovery. | |
Schedule Tasks | For more information, see Administrative Permissions for Scheduling Tasks. | |
CSV Import | For more information, see Administrative Permissions for Named ACLs. | |
All Microsoft Servers | For more information, see Administrative Permissions for Microsoft Servers. | |
All Dashboard Tasks | For more information, see Administrative Permissions for Dashboard Tasks. | |
All Kerberos keys | For more information, see Configuring GSS-TSIG keys. | |
All Active Directory Domains | For more information, see Managing Active Directory Sites. | |
IPAM Permissions | All Network Views | For more information, see Administrative Permissions for Common Tasks. |
All IPv4 Networks | For more information, see Administrative Permissions for IPv4 and IPv6 Networks and Shared Networks. | |
All IPv6 Networks | For more information, see Administrative Permissions for IPv4 and IPv6 Networks and Shared Networks. | |
All Hosts | For more information, see Administrative Permissions for Hosts. | |
All IPv4 Host Addresses | For more information, see Administrative Permissions for DNS Resources with Associated IP addresses in Networks and Ranges. | |
All IPv6 Host Addresses | For more information, see Administrative Permissions for DNS Resources with Associated IP addresses in Networks and Ranges. | |
Port Control | For more information, see Administrative Permissions for Discovery. | |
SAML Permissions | SAML Authentication Services | For more information, see Administrative Permissions for SAML. |
Super Host Permissions | Super Host Permissions | For more information, see About Administrative Permissions for Super Hosts. |
Security Permissions | Grid Security Permissions | For more information, see Administrative Permissions. |
Reporting Permissions | Grid Reporting Permissions | For more information, see Administrative Permissions for Common Tasks. |
Reporting Dashboard | For more information, see Administrative Permissions for Reporting. | |
Reporting Search | For more information, see Administrative Permissions for Reporting. | |
VLAN Permissions | VLAN views, VLAN ranges, and VLAN objects | For more information, see Administrative Permissions for VLAN Management. |
Defining Object Permissions
You can add permissions to specific objects for selected admin groups or roles. When you add permissions to objects, you can select multiple objects with the same or different object types. When you select multiple objects with the same object type, you can apply permissions to the selected objects as well as the sub object types that are contained in the selected objects. As described in the below figure Selecting Multiple Objects with the Same Object Type, when you select five DNS forward-mapping authoritative zones, the appliance displays the object type "AuthZone" for all the zones. Since all five DNS zones are of the same object type, you can also apply permissions to all the resource records in these zones. The appliance displays the resources in the resource section of the Create Object Permissions editor. You can choose one or more of the resources to which you want to apply permissions.
In Cloud Network Automation, admin groups and admin users who have cloud API access have full permissions to delegated. However, you must specifically assign permissions for objects that have not been delegated in order for any admin groups or admin users to gain permission to these objects. Therefore, an admin group that has access to the cloud API would have full permissions to all delegated objects but limited permissions to non-delegated objects.
For information about how to allow cloud API access to an admin group, see Creating Limited-Access Admin Groups. For information about guidelines for authority delegation, see About Authority Delegation.
Selecting Multiple Objects with the Same Object Type
...
When you select multiple objects with more than one object type, you can add permissions to the selected objects as well as to the sub object types that are common among the selected objects. For example, when you select three DNS forward-mapping authoritative zones and two DNS IPv4 reverse-mapping authoritative zones as as illustrated in the figure below, you can apply permissions to all the five DNS zones as well as to the CNAME, DNAME, and host records in these zones because CNAME, DNAME, and host records are the common sub object types in these zones.
Multiple Objects with Common Sub Object Types
When you select three DNS forward-mapping authoritative zones and two IPv4 reverse-mapping authoritative zones, you can apply object permissions to all the DNS zones as well as the CNAME, DNAME and Host records in these DNS zones.
...
Admins can perform different tasks on a Grid member based on the permissions they have. The following table outlines the permissions and the tasks admins can perform on a Grid member:
Table 4.3 Member Permissions and Tasks
Grid Member |
---|
Member DNS or DHCP Properties | Restart DNS or DHCP on Grid Member | ||
---|---|---|---|
Read/Write |
|
|
|
Read-only |
|
|
|
Deny |
|
|
|
After you add permissions to an admin group or role for a specific Grid member, you can modify the member permissions and resources. Note that when you modify the member permissions and resources, the appliance updates the permissions of the admin group or role accordingly.
To modify Grid member permissions:
...
For example, an admin from the DNS1 admin group tries to access the a1.test.com A record in the test.com zone in the Infoblox default view. The appliance first checks if the DNS1 admin group has a permission defined for the a1.test.com A record. If there is none, then the appliance checks the roles assigned to DNS1. If there is no permission defined for the a1.test.com A record, the appliance continues checking for permissions in the order listed in the Permission Checking table. The appliance uses the first permission it finds.
Permission Checking
The appliance checks object permissions from the most to the least specific, as listed. | For each object, the appliance checks permissions in the order listed. |
---|---|
|
DNS1 admin group b. Role 1, Role 2, Role 3… |
An admin group that is assigned multiple roles and permissions can have overlaps among the different permissions. As stated earlier, the appliance uses the first permission it finds and ignores the others. For example, as shown in the table Directly-Assigned Permissions and Roles below, if an admin group has read/write permission to all A records in the test.com zone and a role assigned to it is denied permission to test.com, the appliance provides read/write access to A records in the test.com zone, but denies access to the test.com zone and all its other resource records.
Table 4.5Directly-Assigned Permissions and Roles
Permission assigned to the admin group | Read/Write to all A records in the test.com zone |
Permission inherited from an admin role | Deny to the test.com zone |
Effective permissions | Deny to the test.com zone Read/Write to all A records in test.com zone Deny to all other resource records in test.com zone |
If the group has multiple roles, the appliance applies the permissions in the order the roles are listed. If there are overlaps in the permissions among the roles, the appliance uses the permission from the role that is listed first. For example, as shown in as shown in the Multiple Roles table, the first role assigned to the admin group has read-only permission to all A records in the test.com zone and the second role has read/write permission to the same records. The appliance applies the permission from the first admin role.
Multiple Roles
Role 1 permission | Read-only to all A records in the test.com zone |
Role 2 permission | Read/Write to all A records in test.com zone Read/Write to all MX records in test.com zone |
Effective permissions | Deny to the test.com zone Read-only to all A records in the test.com zone Read/Write to all MX records in test.com zone |
You can check for overlapped permissions when you add permissions to roles and to admin groups, and when you assign roles to an admin group. When you create a permission that overlaps with existing permissions, Grid Manager displays a warning message and the SeeConflicts link on which you click to view the overlapped permissions. For information, see Viewing Overlapping Permissions. You can also use the quick filter Overlaps to filter overlapped permissions, the appliance lists permissions that overlap with other permissions. If you want to change the permission the appliance uses, you must change the order in which the roles are listed or change the permissions that are directly assigned to the admin group. For information about Creating Limited-Access Admin Groups,
...
see About Admin Groups.
Viewing Overlapping Permissions
...