Document toolboxDocument toolbox

About Administrative Permissions

Owned by Panna .
Oct 03, 2024
12 min read

You can assign permissions to admin roles which you then assign to admin groups, or you can assign permissions directly to an admin group. On the Master Grid, only superuser admins can manage permissions. Limited-access users cannot grant permissions to any admin groups or roles.
The following are permissions superuser admins can grant admin groups and roles:

    • Read/Write (RW): Allows admins to add, modify, delete, view, and search for a resource.
    • Read-Only (RO): Allows admins to view and search for a resource. Admins cannot add, modify, or delete the resource.
    • Deny: Prevents admins from adding, modifying, deleting, and viewing a resource. This is the default permission level for all resources.

By default, the superuser group (admin-group) has full access to all Master Grid objects and all synchronized objects of the managed Grids. Superusers can grant permissions to objects at the global and object levels. They also have full privileges to all managed Grids so they can create networks and delegate them to the Grids. For information, see /wiki/spaces/mgmadminguide/pages/911183330. Limited-access admin groups however must have either Read-only or Read/Write permission assigned in order to perform tasks on any supported objects.
Besides defining permissions for Master Grid objects, superusers can also define permissions for synchronized objects that are configured on managed Grids. When managed Grids synchronize objects with the Master Grid, all permissions associated with the objects are also synchronized. Though you cannot modify the original permissions of a synchronized object, you can assign new permissions that you can then later assign to local users in the Master Grid. Note that new permissions defined for the Master Grid can only be used for local users in the Master Grid. They do not affect the original permissions defined in the managed Grid.
When you log in to the Master Grid, you inherit the permissions of the admin group to which you belong. The superuser admin can grant you additional permissions to specific objects. When you validate your user account with other users of specific managed Grids, not only can you access the Grids through SSO (Single Sign On), you also adopt the permissions of the users of the Grids you have validated, plus your local permissions from the Master Grid. For information about validating users, see /wiki/spaces/mgmadminguide/pages/911180119.
You can define user permissions at a global level, such as for all IPv4 and IPv6 networks. You can also define permissions at a more granular level, such as for a specific IPv4 network. For information, see 19282588 19282588 and 19282588.
When you set permissions that overlap with existing permissions, Multi-Grid Manager displays a warning about the overlaps. You can view detailed information and find out which permissions the appliance uses and which ones it ignores. For information, see 19282588.

Defining Global Permissions

You can define the following permission types at the global level :

  • IPAM Permissions: Permissions to all network views, which give you permissions to all IPv4 and IPv6 networks.
  • Master Grid Permissions: Permissions to all Master Grid members and the Scheduled Tasks permission.
  • Grids Permissions: Permissions to all managed Grids in the Master Grid. To define global permissions:
  1. For an admin group: From the Administration tab, select the Administrators tab -> Permissions tab -> admin_group in the Groups table, and then click the Add icon -> Global Permissions from the Create New Permission area or select Add -> Global Permissions from the Toolbar.
    or
    For an admin role: From the Administration tab, select the Administrators tab -> Permissions tab -> admin_role in the Roles table, and then click the Add icon -> Global Permissions from the Create New Permission area or select Add -> Global Permissions from the Toolbar.
  2. Multi-Grid Manager displays the Manage Global Permissions editor. For an admin group, the appliance displays the selected admin group in the Group Permission field. For an admin role, the appliance displays the selected admin role in the Role Permission field. You can also select a different group or role from the drop-down list.
  3. Select the permission you want to configure from the Permission Type drop-down list. Depending on your selection, Multi-Grid Manager displays the corresponding resources for the selected permission type in the table.
  4. Select Read/Write, Read-Only, or Deny for the resources you want to configure. By default, the appliance denies access to resources if you do not specifically configure them.
  5. Optionally, select additional resources from the Permission Type drop-down list. Multi-Grid Manager appends the new resources to the ones that you have already configured. Define the permissions for the resources you select.
  6. Save the configuration.

Defining Object Permissions

You can add permissions to specific objects, such as the Comment field or a specific IPv4 network, for selected admin groups or roles. When you add permissions to objects, you can select multiple objects with the same or different object types. When you select multiple objects with the same object type, you can apply permissions to the selected objects as well as the sub object types that are contained in the selected objects. When you select multiple objects with more than one object type, you can add permissions to the selected objects as well as to the sub object types that are common among the selected objects.
You can define permissions for the following object types:

  • Grid: Permissions to the matching managed Grids.
  • IPv4 Networks: Permissions to the matching IPv4 networks.
  • IPv6 Networks: Permissions to the matching IPv6 networks.
  • Member: Permissions to the matching Master Grid members.
  • IPv4 and IPv6 Networks: Permissions to all matching IPv4 and IPv6 networks. To define object permissions for an admin group or role:
  1. For an admin group: From the Administration tab, select the Administrators tab -> Permissions tab -> admin_group in the Groups table, and then click the Add icon -> Object Permissions from the Create New Permission area or select Add -> Object Permissions from the Toolbar.
    or
    For an admin role: From the Administration tab, select the Administrators tab -> Permissions tab -> admin_role in the Roles table, and then click Add icon -> Object Permissions from the Create New Permission area or select Add -> Object Permissions from the Toolbar.
  2. Multi-Grid Manager displays the Create Object Permissions wizard. For an admin group, the appliance displays the selected group in the Group Permission field. For an admin role, the appliance displays the selected admin role in the Role Permission field. You can also select a different group or role from the drop-down list.
  3. Click Select Object(s). Multi-Grid Manager displays the Object Selector dialog box.
  4. In the Object Selector dialog box, complete the following:
    • Enter a value or partial value of an object in the first field. This field is not case-sensitive. For example, if the object to which you want to define permissions contains "Infoblox", enter Infoblox here.
    • Select the object type for which you are searching in the Type drop-down list. By default, the appliance searches all object types.
    • In the operator drop-down list, select an operator for the filter criteria. Depending on what you select in the first filter field, this list displays the relevant operators for the selection.
    • In the value field, enter or select the attribute value for the first filter field. Depending on what you select for the first two filter fields, you can either enter a value or select a value from a drop-down list.
  5. Click Search. The appliance lists all matching objects in the table. You can select multiple object types by clicking the Add icon to add more filter criteria. You can also click Reset to clear all entries.
  6. Select the checkboxes of the objects to which you are defining permissions, and then click the Select icon.
  7. In the Create Object Permissions wizard, do the following:
    • Object: Displays the name of the selected object. When you select multiple objects, the appliance displays Multiple here. Mouse over to the information icon to view the list of objects to which you are defining permissions.
    • Object Type: Displays the object type of the selected object. When you select more than one object type, the appliance displays Multiple here.
    • Resource: Displays the selected objects. When you select more than one object type, the appliance displays Multiple Selected Objects here. Mouse over to the information icon to view the list of objects to which you are defining permissions. Grant the resources an appropriate permission: Read/Write, Read Only, or Deny.
  8. Save the configuration.

Multi-Grid Manager displays a warning message when the permissions you define here overlap with other permissions in the system. Click See Conflicts to view the overlapping permissions in the Permissions Conflict dialog box. For information, see 19282588.
You can also set permissions for specific objects from the objects themselves. For example, to define permissions for all IPv4 networks, navigate to the Multi-Grid Master and define its permissions.
To define the permissions of a specific object:

  1. Navigate to the object. For example, to define permissions for a particular network, from the Data Management tab, select the Master Grid tab -> Members tab -> Multi-Grid Master checkbox, and then click the Edit icon.
  2. In the editor, select the Permissions tab, and then do one of the following:
    • Click the Add icon to add permission to the object. In the Admin Group/Role Selector dialog box, select an admin group or role to which you want to assign the permission, and then click the Select icon.
    • Modify the permission and resource type of a selected admin group or role.
    • Select an admin group or role and click the Delete icon to delete it.
  3. Save the configuration.

Applying Permissions and Managing Overlaps

In the Master Grid, when an admin tries to access an object, the appliance checks the permissions of the group to which the admin belongs. Because permissions at more specific levels override those set at a higher level, the appliance checks object permissions hierarchically—from the most to the least specific. In addition, if the admin group has permissions assigned directly to it and permissions inherited from its assigned roles, the appliance checks the permissions in the following order:

  1. Permissions assigned directly to the admin group.
  2. Permissions inherited from admin roles in the order they are listed in the Roles tab of the Admin Group editor.

For example, an admin from the Network1 admin group tries to access the 10.0.0.0/16 IPv4 network. The appliance first checks if the Network1 admin group has permission defined for the network. If there is none, then the appliance checks the roles assigned to Network1. If there is no permission defined for the 10.0.0.0/16 network, the appliance continues checking for permissions in the order listed in 19282588. The appliance uses the first permission it finds.

Table 4.2 Permission Checking

The appliance checks object permissions from the most to the least specific, as listed.

For each object, the appliance checks permissions in the order listed.

  1. 10.0.0.0/16 network
  2. All IPv4 networks in a specific network view of a Grid
  3. The specific network view of a Grid
  4. All IPv4 networks in a specific Grid
  5. All IPv4 networks
    1. Network1 admin group
    2. Role 1, Role, 2, Role 3…

An admin group that is assigned multiple roles and permissions can have overlaps among the different permissions. As stated earlier, the appliance uses the first permission it finds and ignores the others. For example, as shown in 19282588, if an admin group has Read/Write permissions to Grid1 and all IPv4 networks, and a role assigned to it is denied permission to all IPv6 networks, the appliance provides Read/Write access to IPv4 networks in GRID1, but denies access to all IPv6 networks in Grid1.

Table 4.3 Directly-Assigned Permissions and Roles


Permissions
Permissions assigned to the admin group on the Master Grid

Read/Write to all IPv4 networks

Read/Write to Grid1

Permission inherited from an admin role on the Master Grid

Deny to all IPv6 networks

Effective permissions

 Read/Write to all IPv4 networks in Grid1

Deny to all IPv6 networks in Grid1


If the group has multiple roles, the appliance applies the permissions in the order the roles are listed. If there are overlaps in the permissions among the roles, the appliance uses the permission from the role that is listed first. For example, as shown in 19282588, the first role assigned to the admin group has Read-Only permission to the 10.0.0.0/24 IPv4 network in Grid1, and the second role has Read/Write permission to the same network. The appliance applies the permission from the first admin role.

Table 4.4 Multiple Roles


Permissions
Role 1 permissionRead-only to 10.0.0.0/24 in Grid1
Role 2 permission

Read/Write to all IPV4 networks in Grid1

Read/Write to all IPv6 networks in Grid1

Effective permissions

Read-only to 10.0.0.0/24 in Grid1

Read/Write to all IPv6 networks in Grid1

When managed Grids synchronize objects with the Master Grid, all permissions associated with the objects are synchronized. Though you cannot change the synchronized permissions, you can inherit the synchronized permissions if you validate a user of the Grid to which the objects belong. The appliance takes into account both the Master Grid permissions and the synchronized permissions. As illustrated in 19282588, as an admin user, you are assigned permissions to specific networks at the Master Grid level. You also inherit the synchronized permissions of the networks from the managed Grid because you have user validation to that Grid. As a result, your effective permissions to these networks are a combination of the Master Grid permissions and the synchronized permissions of the managed Grid. Note that the Grid Master permissions supersede the managed Grid permissions when there is an overlapped permission.

Table 4.5 Master Grid and Managed Grid permissions


Permission 1 Permission 2
Master Grid permissions

Read/Write to 10.0.0.0/8

Read/Write to 20.0.0.0/8

Read/Write to 30.0.0.0/16

Read/Write to 40.0.0.0/8

Read/Write to 10.0.0.0/8

Read/Write to 20.0.0.0/8

Read/Write to 30.0.0.0/16

Read/Write to 40.0.0.0/8

Synchronized permissions of the managed Grid

Read-only to 10.0.0.0/8

Read-only to 20.0.0.0/16

Read-only to 30.0.0.0/8

Read-only to 40.0.0.0/8

Deny to 10.0.0.0/8

Deny to 20.0.0.0/16

Deny to 30.0.0.0/8

Deny to 40.0.0.0/8

Effective permissions

Read/Write to 10.0.0.0/8

Read/Write to 20.0.0.0/8 (except the /16 network)

Read-only to 20.0.0.0/16

Read-only to 30.0.0.0/8 (except the /16 network)

Read/Write to 30.0.0.0/16

Read/Write to 40.0.0.0/8

Read/Write to 10.0.0.0/8

Read/Write to 20.0.0.0/8 (except the /16 network)

Deny to 20.0.0.0/16

Deny to 30.0.0.0/8 (except the /16 network)

Read/Write to 30.0.0.0/16

Read/Write to 40.0.0.0/8

If you validate a user of a specific Grid through Multi-Grid Manager, you inherit the permissions of the user that you validate on that Grid. When you access the Grid through Multi-Grid Manager, you can perform specific tasks based on the permissions of the validated user of the Grid. You can also view a complete list of users that you have validated through Multi-Grid Manager, and find out the specific admin groups to which the admin users of the corresponding Grids belong. For information about how to view this information, see /wiki/spaces/mgmadminguide/pages/911180119.
You can also check for overlapped permissions when you add permissions to roles and to admin groups, and when you assign roles to an admin group. When you create a permission that overlaps with existing permissions,
Multi-Grid Manager displays a warning message and the See Conflicts link on which you click to view the overlapped permissions. For information, see 19282588. You can also use the quick filter Overlaps to filter overlapped permissions, the appliance lists permissions that overlap with other permissions. If you want to change the permission the appliance uses, you must change the order in which the roles are listed or change the permissions that are directly assigned to the admin group. For information, see /wiki/spaces/mgmadminguide/pages/911180917/wiki/spaces/mgmadminguide/pages/911180917.

Viewing Overlapped Permissions


When you click See Conflicts to view overlapping permissions, Multi-Grid Manager displays the following information in the Permission Overlap dialog box:

    • Resource: The name of the object or resource.
    • Type: The object type.
    • Permission: The permission granted. This can be Read/Write, Read-Only, or Deny.
    • Inherited From: Indicates the source from which the permission is inherited.
    • Conflict Status: Indicates whether the permission is being used or ignored. In a permission overlap, the group permission always overrides the role permission if both permissions are set at the same level (global or object). However, if the permissions are set at different levels, the permission at a more specific level overrides that set at a higher level.
    • Role/Group Name: The name of the admin group or admin role.

You can click the arrow key next to the resource to view the permission that is being ignored in the overlap.

Managing Permissions

After you define permissions for an admin group and role, you can do the following:

  • View the permissions, as described in 19282588.
  • Modify the permissions, as described in 19282588.
  • Delete the permission, as described in 19282588

Viewing Permissions

Only superusers can view the permissions of all admin groups, including the synchronized permissions. To view the permissions of an admin group or role:

  1. From the Administration tab, select the Administrators tab -> Permissions tab.
  2. For an admin group: Select an admin group in the Groups table.
    or
    For an admin role: Select an admin role in the Roles table.
  3. Multi-Grid Manager displays the following information in the Permissions table:
    • Group/Role: The name of the admin group or role.
    • Permission Type: The type of permissions.
    • Resource: The name of the object, such as All IPv4 Networks.
    • Resource Type: The object type, such as Network View.
    • Permission: The defined permission for the resource.

When you click Show All for Admins, Groups, and Roles, Multi-Grid Manager displays all the Master Grid and synchronized admin accounts, admin groups, and admin roles in their respective tables.

Filtering the List of Permissions

You can filter the permissions you want to view by selecting one of the following from the quick filter menu:

  • Effective Permissions: Select to view only the permissions that the appliance is using for this group. The permissions that were ignored due to overlaps are not listed in this view.
  • Overlaps: Select to view only the overlapped permissions.
  • All Configured Permissions: Select to view all permissions.

Modifying Permissions

When you change the permissions of a role that has been assigned to multiple admin groups, the appliance automatically applies the change to the role in all admin groups to which it is assigned.
To modify the existing permissions of a role or an admin group:

  1. From the Administration tab, select the Administrators tab -> Permissions tab.
  2. For an admin group: Select an admin group in the Groups table.
    or
    For an admin role: Select an admin role in the Roles table.
  3. In the Permissions table, select the resource that you want to modify, and then click the Edit icon.
  4. In the Mange Global Permissions or Create Object permissions editor, select the new permission: Read/Write, Read-Only or Deny for the resource.
  5. Save the configuration.

Deleting Permissions

When you remove permissions from a role, they are removed from the role in all admin groups to which the role is assigned. You can remove a permission from a group as long as it is not inherited from a role. You cannot remove permissions that are inherited from a role.
To delete a permission:

  1. From the Administration tab, select the Administrators tab -> Permissions tab.
  2. For an admin group: Select an admin group in the Groups table.
    or
    Fro an admin role: Select an admin role in the Roles table.
  3. In the Permissions table, select the resource that you want to modify, and then click the Delete icon.
  4. In the Delete Permission Confirmation dialog box, click Yes.