Administrative Permissions for the Master Grid

A user must have an admin account to log in to the Master Grid. Each admin account belongs to an admin group, which contains roles and permissions that determine the tasks a user can perform. For information, see About Admin Groups. On the Master Grid, you must be a superuser to manage admin permissions. For information, see About Administrative Permissions.
When an admin connects to the Master Grid and logs in with a username and password, the appliance starts a
two-step process that includes both authentication and authorization. First, the appliance tries to authenticate the admin using the username and password. Second, it determines the authorized privileges of the admin by identifying the group to which the admin belongs. It grants access to the admin only when it successfully completes this process.
The appliance can authenticate users that are stored on its local database as well as users stored remotely on an Active Directory domain controller or a RADIUS server. The group from which the admin receives privileges and properties is stored locally.
The tasks involved in configuring administrator accounts locally and remotely are listed in 911180799.

Table 4.1 Storing Admin Accounts Locally and Remotely

Master Grid

RADIUS server or AD Domain Controller

To store admin accounts locally

Use the default admin group ("admin-group") or define a new group
Set the privileges and properties for the group
Add admin accounts to the group

To store admin accounts remotely

Configure communication settings with a RADIUS server or an Active Directory domain controller

If you use admin groups on the RADIUS server or Active Directory domain controller:

Use an existing admin group or define a new one
Set the privileges and properties for the group

If you do not use admin groups on the RADIUS server:

Assign an admin group as the default

Configure communication settings with the appliance

If you use admin groups:

Import Infoblox VSAs (vendor-specific attributes) (if RADIUS)
Define an admin group with the same name as that on the appliance
Define admin accounts and link them to an admin group

If you do not use admin groups:

Define admin accounts

The admin policy defines how the appliance authenticates the admin: with the local database, RADIUS, or Active Directory. You must add RADIUS or Active Directory as one of the authentication methods in the admin policy to enable that authentication method for admins. See Defining the Authentication Policy for more information about configuring the admin policy.

911180799 illustrates the relationship of local and remote admin accounts, admin policy, admin groups, and permissions and properties.
Figure 4.1 Privileges and Properties Applied to Local and Remote Admin Accounts

Complete the following tasks to create an admin account:

Use the default admin group or create an admin group. SeeAbout Admin Groups.
Define the administrative permissions of the admin group. See About Administrative Permissions.
Create the admin account and assign it to the admin group.
- To add the admin account to the local database, see Creating Local Admins.
- To configure the appliance to authenticate the admin account stored remotely, see About Remote Admins.