You can assign permissions to admin roles which you then assign to admin groups, or you can assign permissions directly to an admin group. The following are permissions you can grant admin groups and roles:
...
By default, the superuser group (admin-group) has full access to all resources on the appliance. Superusers can create limited-access admin groups and grant them permissions to resources at the global and object levels.
Limited-access admin groups must have either read-only or read/write permissions assigned in order to view information or perform tasks on any supported objects.
When you assign permissions at the global level, the permissions apply to all objects that belong to the specified resource. For example, when you define a read/write permission to all DHCP networks, the permission applies to all DHCP ranges and fixed addresses in the networks. For information about global permissions, see the Defining Global Permissions section.
You can also define permissions at a more granular level, such as for a specific Grid member, DNS zone, Response Policy Zone, network, and even an individual database object, such as a resource record or fixed address. When you define a permission at the object level, admins with this permission can only manage the specified object and its associated objects. For information about object permissions, see the Defining Object Permissions section.
You can use global and object permissions to restrict admins to specific DNS and DHCP resources on specific Grid members by assigning the appropriate permissions. You can use this feature to separate DNS and DHCP administration on selected Grid members. For more information, see the Defining DNS and DHCP Permissions on Grid Members section.
You can configure global permissions, object permissions, and member DNS and DHCP permissions for default and custom admin groups and roles. You cannot however define permissions for the factory default roles, such as DHCP Admin.
The appliance supports the following permissions:
...
- Permissions for common tasks, as described in in Administrative Permissions for Common Tasks.
- Permissions for the Grid and Grid members, as described in Administrative Permission for the Grid.
- Permissions for IPAM resources, such as IPv6 networks, as described in Administrative Permissions for IPAM Resources.
- Permissions for DNS resources, such as DNS views and A records, as described in Administrative Permissions for DNS Resources.
- Permissions for DNS resource with associated IP addresses in networks and ranges, as described in Administrative Permissions for DNS Resources with Associated IP addresses in Networks and Ranges.
- Permissions for DHCP resources, such as network views and fixed addresses, as described in in Administrative Permissions for DHCP Resources.
- Permissions for file distribution services, as described in in Administrative Permissions for File Distribution Services.
- Permissions for certificate authentication services and CA certificates, as described in Administrative Permissions for Certificate Authentication Services and CA Certificates.
- Permissions for object change tracking, as described in in Administrative Permissions for Object Change Tracking.
- Permissions for GLB and GLB objects, as described in in Administrative Permissions for Load Balancers.
- Permissions for Cloud objects, as described in Administrative Permissions for Cloud Objects.
When you set permissions that overlap with existing permissions, Grid Manager displays a warning about the overlaps. You can view detailed information and find out which permissions the appliance uses and which ones it ignores. For information, see the Applying Permissions and Managing Overlaps section.
Defining Global Permissions
...
Permissions (Read/Write, Read-Only, or Deny) | ||
---|---|---|
Administration Permissions | All Certificate Authentication Services | For more information, see see Administrative Permissions for Certificate Authentication Services and CA Certificates. |
All CA Certificates | ||
Object Change Tracking | For more information, see see Administrative Permissions for Object Change Tracking. | |
Cloud Permissions | All Tenants | For more information, see see Administrative Permissions for Cloud Objects. |
Named ACL Permissions | Named ACL | For more information, see see Administrative Permissions for Named ACLs. |
DHCP Permissions | Grid DHCP Properties | For more information, see Administrative Permissions for Common Tasks. |
All Network Views | For more information, see see Administrative Permissions for Network Views. | |
All IPV4/IPv6 Networks | For more information, see see Administrative Permissions for IPv4 and IPv6 Networks and Shared Networks. | |
All Hosts | For more information, see see Administrative Permissions for Hosts. | |
All DHCP Fingerprints | For more information, see see Administrative Permissions. | |
All DHCP MAC Filters | For more information, see see Administrative Permissions for MAC Address Filters. | |
All IPv4/IPv6 DHCP Fixed Addresses/Reservations | For more information, see see Administrative Permissions for IPv4 or IPv6 Fixed Addresses and IPv4 Reservations. | |
All IPv4/IPv6 Host Addresses | For more information, see Administrative Permissions for DHCP Resources. | |
All IPv4/IPv6 Ranges | For more information, see see Administrative Permissions for IPv4 and IPv6 DHCP Ranges. | |
All IPv4/IPv6 Shared Networks | For more information, see see Administrative Permissions for IPv4 and IPv6 Networks and Shared Networks. | |
All IPv4/IPv6 DHCP Templates | For more information, see Administrative Permissions for IPv4 or IPv6 DHCP Templates. | |
All Microsoft Superscopes | For more information, see see Administrative Permissions for IPv4 or IPv6 DHCP Templates. | |
All Roaming Hosts | For more information, see see Administrative Permissions for Roaming Hosts. | |
DHCP IPv4/IPv6 Lease History | For more information, see see Administrative Permissions for the IPv4 and IPv6 DHCP Lease Histories. | |
DNS Permissions Grid | DNS Properties | For more information, see Administrative Permissions for Common Tasks. |
All DNS Views | For more information, see Administrative Permissions for Common Tasks. | |
All DNS Zones | For more information, see Administrative Permissions for Common Tasks. | |
All Hosts | For more information, see see Administrative Permissions for Hosts. | |
All IPV4/IPV6 Host Addresses | For more information, see Administrative Permissions for DNS Resources with Associated IP addresses in Networks and Ranges. | |
All Resource Records (A, AAAA, CAA, CNAME, DNAME, NAPTR, MX, PTR, SRV, TXT, TLSA and Bulkhost) | For more information, see Administrative Permissions for Common Tasks. | |
All Shared Record Groups | For more information, see see Administrative Permissions for Shared Record Groups. | |
All Shared Records (A, AAAA, MX, SRV and TXT) | For more information, see Administrative Permissions for Common Tasks. | |
All Rulesets (BLACK List Rulesets and NXDOMAIN Rulesets) | For more information, see see Administrative Permissions for DHCP Resources. | |
All DNS64 Synthesis Groups | For more information, see see Administrative Permissions for DNS64 Synthesis Groups. | |
All Response Policy Zones | For more information, see see Administrative Permissions for Zonesand and License Requirements and Admin Permissions. | |
All Response Policy Rules | For more information, see see Administrative Permissions for Zonesand and License Requirements and Admin Permissions. | |
All DTC Objects (LBDN Records, LBDNs, Pools, Servers, Monitors, Certificates, GeoIP and Topologies) | For more information, see see Administrative Permissions for Zonesand and License Requirements and Admin Permissions. | |
Adding a blank A/AAAA record | For more information, see Administrative Permissions for Common Tasks. | |
File Distribution Permissions | Grid File Distribution Permissions | For more information, see Administrative Permissions for File Distribution Services. |
Grid Permissions | All Members | For more information, see Administrative Permissions for Common Tasks. |
Network Discovery | For more information, see Administrative Permissions for Discovery. | |
Schedule Tasks | For more information, see see Administrative Permissions for Scheduling Tasks. | |
CSV Import | For more information, see Administrative Permissions for Named ACLs. | |
All Microsoft Servers | For more information, see see Administrative Permissions for Microsoft Servers. | |
All Dashboard Tasks | For more information, see Administrative Permissions for Dashboard Tasks. | |
All Kerberos keys | For more information, see Configuring GSS-TSIG keys. | |
All Active Directory Domains | For more information, see Managing Active Directory Sites. | |
IPAM Permissions | All Network Views | For more information, see Administrative Permissions for Common Tasks. |
All IPv4 Networks | For more information, see see Administrative Permissions for IPv4 and IPv6 Networks and Shared Networks. | |
All IPv6 Networks | For more information, see see Administrative Permissions for IPv4 and IPv6 Networks and Shared Networks. | |
All Hosts | For more information, see see Administrative Permissions for Hosts. | |
All IPv4 Host Addresses | For more information, see Administrative Permissions for DNS Resources with Associated IP addresses in Networks and Ranges. | |
All IPv6 Host Addresses | For more information, see Administrative Permissions for DNS Resources with Associated IP addresses in Networks and Ranges. | |
Port Control | For more information, see Administrative Permissions for Discovery. | |
SAML Permissions | SAML Authentication Services | For more information, see Administrative Permissions for SAML. |
Super Host Permissions | Super Host Permissions | For more information, see About Administrative Permissions for Super Hosts. |
Security Permissions | Grid Security Permissions | For more information, see Administrative Permissions. |
Reporting Permissions | Grid Reporting Permissions | For more information, see Administrative Permissions for Common Tasks. |
Reporting Dashboard | For more information, see Administrative Permissions for Reporting. | |
Reporting Search | For more information, see Administrative Permissions for Reporting. | |
VLAN Permissions | VLAN views, VLAN ranges, and VLAN objects | For more information, see Administrative Permissions for VLAN Management. |
Defining Object Permissions
You can add permissions to specific objects for selected admin groups or roles. When you add permissions to objects, you can select multiple objects with the same or different object types. When you select multiple objects with the same object type, you can apply permissions to the selected objects as well as the sub object types that are contained in the selected objects. As described in the below figure Selecting Multiple Objects with the Same Object Type, when you select five DNS forward-mapping authoritative zones, the appliance displays the object type "AuthZone" for all the zones. Since all five DNS zones are of the same object type, you can also apply permissions to all the resource records in these zones. The appliance displays the resources in the resource section of the Create Object Permissions editor. You can choose one or more of the resources to which you want to apply permissions.
In Cloud Network Automation, admin groups and admin users who have cloud API access have full permissions to delegated. However, you must specifically assign permissions for objects that have not been delegated in order for any admin groups or admin users to gain permission to these objects. Therefore, an admin group that has access to the cloud API would have full permissions to all delegated objects but limited permissions to non-delegated objects.
For information about how to allow cloud API access to an admin group, see Creating Limited-Access Admin Groups. For information about guidelines for authority delegation, see see About Authority Delegation.
Selecting Multiple Objects with the Same Object Type
...
When you select multiple objects with more than one object type, you can add permissions to the selected objects as well as to the sub object types that are common among the selected objects. For example, when you select three DNS forward-mapping authoritative zones and two DNS IPv4 reverse-mapping authoritative zones as as illustrated in the figure below, you can apply permissions to all the five DNS zones as well as to the CNAME, DNAME, and host records in these zones because CNAME, DNAME, and host records are the common sub object types in these zones.
Multiple Objects with Common Sub Object Types
When you select three DNS forward-mapping authoritative zones and two IPv4 reverse-mapping authoritative zones, you can apply object permissions to all the DNS zones as well as the CNAME, DNAME and Host records in these DNS zones.
...
Grid Manager displays a warning message when the permissions you define here overlap with other permissions in the system. Click See Conflicts to view the overlapping permissions in the Permissions Conflict dialog box. For information, see the Applying Permissions and Managing Overlaps section.
You can also set permissions for specific objects from the objects themselves. For example, to define permissions for a particular Grid member, navigate to that Grid member and define its permissions.
To define the permissions of a specific object:
...
You can restrict certain admin groups or roles to perform specific DNS and DHCP tasks on specific Grid members by assigning the correct global and object permissions. You can use this feature to separate the DNS and DHCP administration on different Grid members. For example, you can create an admin group or role that can only create, modify, and delete DHCP ranges in a specific network on a specific member in the Grid. This admin group or role is restricted to the specified tasks on the selected Grid member. It cannot perform other DNS or DHCP tasks on this member, and it cannot perform the specified tasks on other Grid members.
For example, you can define permissions that allow admins to create, modify, and delete DHCP ranges in network 10.0.0.0/8 on Grid member "sales.infoblox.com" by granting read/write object permissions to all DHCP ranges, network 10.0.0./8, and member DHCP on sales.infoblox.com. Admins with these permissions can only add, modify, and delete DHCP ranges in network 10.0.0.0/8 on Grid member sales.infoblox.com. They cannot perform other DHCP or DNS tasks on the member, and they cannot perform these tasks on other Grid members.
For information about required permissions for specific DNS and DHCP tasks, see see Administrative Permissions for Common Tasks.
You can define the following DNS and DHCP permissions for an admin group or role:
...
To specify member DNS and DHCP permissions, define DNS or DHCP permissions at the global or object level for an admin group or admin role, as described in sections Defining Global Permissions and Defining Object Permissions. Ensure that you include the Grid member object to which you want to restrict DNS or DHCP administration. You can assign valid permissions to administrators to manage kerberos keys. For more information, see Configuring GSS-TSIG keys.
You can also control whether the admins can modify DNS or DHCP properties on a member, as described in the Modifying Permissions on a Grid Member section.
Modifying Permissions on a Grid Member
...
An admin group that is assigned multiple roles and permissions can have overlaps among the different permissions. As stated earlier, the appliance uses the first permission it finds and ignores the others. For example, as shown in the table Directly-Assigned Permissions and Roles below, if an admin group has read/write permission to all A records in the test.com zone and a role assigned to it is denied permission to test.com, the appliance provides read/write access to A records in the test.com zone, but denies access to the test.com zone and all its other resource records.
...
If the group has multiple roles, the appliance applies the permissions in the order the roles are listed. If there are overlaps in the permissions among the roles, the appliance uses the permission from the role that is listed first. For example, as shown in as shown in the Multiple Roles table, the first role assigned to the admin group has read-only permission to all A records in the test.com zone and the second role has read/write permission to the same records. The appliance applies the permission from the first admin role.
...
You can check for overlapped permissions when you add permissions to roles and to admin groups, and when you assign roles to an admin group. When you create a permission that overlaps with existing permissions, Grid Manager displays a warning message and the SeeConflicts link on which you click to view the overlapped permissions. For information, see the Viewing Overlapping Permissions section. You can also use the quick filter Overlaps to filter overlapped permissions, the appliance lists permissions that overlap with other permissions. If you want to change the permission the appliance uses, you must change the order in which the roles are listed or change the permissions that are directly assigned to the admin group. For information about Creating Limited-Access Admin Groups, see About Admin Groups.
Viewing Overlapping Permissions
...