Versions Compared

Version Old Version 1 New Version 2
Changes made by

Panna .

Naveen J Oommen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

All limited-access admin groups require either read-only or read/write permission to access certain resources, such as Grid members, and DNS and DHCP resources, to perform certain tasks. Therefore, when you create an admin group, you must specify which resources the group is authorized to access and their level of access.

Only superusers can create admin groups and define their administrative permissions. There are two ways to define the permissions of an admin group. You can create an admin group and assign permissions directly to the group, or you can create roles that contain permissions and assign the roles to an admin group.

You must create admin groups and assign them access to the cloud API and applicable permissions so they have authority over delegated objects. When you assign permissions for objects that have not been delegated, these admin groups or admin users assume applicable permissions to these un-delegated objects. For example, you can create an admin group that can access a specific set of networks while another can access another set of networks. Note that you cannot create a new admin group using the same name. For information about Cloud Network Automation, see Deploying Cloud Network Automation.

Complete the following tasks to assign permissions directly to an admin group:

  1. Create an admin group, as described in Creating Limited-Access Admin Groups below.

  2. Assign permissions to the admin group, as described in About Administrative Permissions. Complete these tasks to assign admin roles to an admin group:

  3. Create an admin role, as described in About Admin Roles.

  4. Define permissions for the newly created admin role, as described in Creating Admin Roles, see About Admin Roles.

  5. Create an admin group and assign the role to the group, as described in Creating Limited-Access Admin Groups below.

After you have created admin groups and defined their administrative permissions, you can assign administrators to the group.

...

Superusers have unlimited access to the NIOS appliance. They can perform all operations that the appliance supports. There are some operations, such as creating admin groups and roles, that only superusers can perform.

Note that there must always be one superuser admin account, called "admin", stored in the local database to ensure that at least one administrator can log in to the appliance in case the NIOS appliance loses connectivity to the remote admin databases such as RADIUS servers, AD domain controllers, TACACS+ servers, LDAP servers, or OCSP responders.

NIOS comes with a default superuser admin group (admin-group). It also automatically creates a new admin group, fireeye-group, when you add the first FireEye RPZ (Response Policy Zone). Infoblox recommends that you do not add another admin group with the same name as the default or FireEye admin group. Note that the FireEye admin group is read-only and you cannot assign permissions to it. For more information about FireEye RPZs, see About FireEye Integrated RPZs.

When you install valid licenses and configure your Grid for Cloud Network Automation, NIOS enables the cloud-api-only admin group. You can assign admin users to this group so they are authorized to send cloud API requests to the Cloud Platform Appliances. Note that you cannot delete this admin group or create a new admin group using the same name. For information about Cloud Network Automation, see Deploying Cloud Network Automation.

You can create additional superuser admin groups, as follows:

  1. From the Administration tab, select the Administrators tab -> Groups tab, and then click the Add icon.

  2. In the Add Admin Group wizard, complete the following:

    • Name: Enter a name for the admin group.

    • Comment: Enter useful information about the group, such as location or department. For fireeye-group, NIOS displays Group used to receive FireEye alerts in this field.

    • Disable: Select this to retain an inactivated profile for this admin group in the configuration. For example, you may want to define a profile for recently hired administrators who have not yet started work. Then when they do start, you simply need to clear this checkbox to activate the profile.

  3. Click Next and complete the following:
    Superusers: Select this to grant the admin accounts that you assign to this group full authority to view and configure all types of data and perform all tasks.

  • Allowed Interfaces: Superusers admin groups are automatically granted access to the Infoblox GUI (Grid Manager), API, and CLI. You can specify which API the superusers group can access. Note that you must have the Cloud Network Automation or Cloud Platform license installed to configure access to the cloud API.
    GUI: This is selected by default. The superusers admin group automatically has full access to Grid Manager.
    API: This is selected by default. Note that the following options are displayed only if a cloud license is installed in the Grid.
    CLI: This is selected by default. The superusers admin group automatically has full access to the NIOS CLI.

  • API (WAPI/PAPI only): The superusers admin group has full access to the RESTful API and the Infoblox API by default.

  • Cloud API: Select this to allow the superusers admin group to use the cloud API. This option is available only if a cloud license is installed in the Grid. Select one of the following:

    • Cloud API only (no PAPI): Select this to allow the admin group to use WAPI (RESTful API) to send cloud API requests. Note that the Cloud API uses WAPI exclusively. The group has no access to the Infoblox API.

    • Cloud API and PAPI (No WAPI): Select this to allow the admin group to send API requests and have access to the Infoblox API. However, the group cannot use WAPI to send cloud API calls.

Note

Note

When you assign cloud API access to an admin group, the group assumes full authority over all delegated objects. You must however specifically assign object permissions to the admin group for the group to gain authority over non-delegated objects. For information about how to assign object permissions, see About Administrative Permissions.

4. Click Next and complete the following to define the dashboard template:

...

When you create a limited-access admin group, you can assign roles to it. The group then inherits the permissions of its assigned roles. In addition, you can assign permissions directly to the group. Only superusers can create admin groups.

To create a limited-access admin group:

  1. From the Administration tab, select the Administrators tab -> Groups tab, and then click the Add icon.

  2. In the Add Admin Group wizard, complete the following:

    • Name: Enter a name for the admin group.

    • Comment: Enter useful information about the group, such as location or department.

    • Disable: Select this to retain an inactivated profile for this admin group in the configuration. For example, you may want to define a profile for recently hired administrators who have not yet started work. Then when they do start, you simply need to clear this checkbox to activate the profile.

  3. Click Next and complete the following:

    • Superusers: Clear this checkbox to create a limited-access admin group.

    • Roles: Optionally, click the Add icon to add an admin role to the admin group. In the Role Selector dialog box, select the roles you want to assign to the admin group, and then click the Select icon. Use Shift+click and Ctrl+click to select multiple admin roles. You can assign up to 21 roles to an admin group. The appliance displays the selected roles in the list box. When an admin group is assigned multiple roles, the appliance applies the permissions to the group in the order the roles are listed. Therefore if there are overlapped permissions among the roles, the appliance uses the permission from the role that is listed first and ignores the others. You can reorder the list by selecting a role and clicking the arrow keys to move the role up and down the list. To delete a role, select it and click the Delete icon.

    • Allowed Interfaces: Specify whether the admin group can use the Infoblox GUI (Grid Manager) and the API (application programming interface) to configure the appliance. Note that you must have the Cloud Network Automation or Cloud Platform license installed to configure access to the cloud API.

      GUI: Select this to allow the admin group to use the Infoblox GUI, Grid Manager.

      CLI: Select this to allow the admin group access to the Infoblox CLI. You can select all the commands that you want the group to execute by selecting the command group from the drop-down list. You can then select individual commands from the command group that the admin group can execute . For example, if you want to grant access to the admin group to run all commands related to the Grid command group, select Grid from the drop-down list and select all the commands. You can also select individual commands from the Grid command group that you want the admin group to execute.

      API: Select this to allow the admin group access to the Infoblox API. The following options are available only if a Cloud Network Automation or Cloud Platform license is active in the Grid. You must first select this option to enable the following options.

      • API (WAPI/PAPI only): Select this to allow the admin group to use only the RESTful API and Infoblox API.

      • Cloud API: Select this to allow the admin group to use the cloud API. This option is available only if a Cloud Network Automation or Cloud Platform license is installed in the Grid. Select one of the following:

        • Cloud API only (No PAPI): Select this to allow the admin group to use WAPI (RESTful API) to send cloud API requests. Note that the Cloud API uses WAPI exclusively. The group has no access to the Infoblox API.

        • Cloud API and PAPI (No WAPI): Select this to allow the admin group to send API requests and have access to the Infoblox API. However, the group cannot use RESTful API to send cloud API calls.                 

Note

Notes

  • When you assign cloud API access to an admin group, the group assumes full authority over all delegated objects. You must however specifically assign object permissions to the admin group for the group to gain authority over non-delegated objects. For information about how to assign object permissions, see About Administrative Permissions.

  • The GUI permission that you assign to the admin group is independent of the CLI permission that you assign. That is, you have to assign each of these permissions separately to non-super users. You can track actions and commands of non-super-users in the audit.log file.

  • If you enable CLI commands for reporting users, they will not be able to login to the CLI unless they log in to the Reporting tab in Grid Manager.

  • SAML-only users will not be able to run CLI commands, because such users are created dynamically and hence do have the password. However, users belonging to the saml_local group can run the set series of commands.

  • Cloud users will not be able to run CLI commands because they are delegated users.

...