Administrative Permissions for DHCP Resources
- Aliaksei Shautsou (Deactivated)
- Arkadi_Bourkov
Limited-access admin groups can access certain DHCP resources only if their administrative permissions are defined. By default, the appliance denies access when a limited-access admin group does not have defined permissions. You can grant admin groups read-only or read/write permission, or deny access to the following DHCP resources:
- Network views
- IPv4 networks
- Hosts
- IPv4 DHCP ranges
- IPv4 DHCP fixed addresses
- IPv4 DHCP reservations
- MAC address filters
- IPv4 shared networks
- IPv4 network templates
- IPv4 DHCP range templates
- IPv4 fixed address templates
- IPv4 DHCP enabled host addresses
- IPv4 DHCP lease history
- Roaming hosts
- IPv6 networks
- IPv6 DHCP ranges
- IPv6 DHCP fixed addresses
- IPv6 DHCP enabled host addresses
- IPv6 shared networks
- IPv6 network templates
- IPv6 DHCP range templates
- IPv6 fixed address templates
- IPv6 DHCP lease history
You can grant an admin group broad permissions to DHCP resources, such as read/write permission to all IPv4 or IPv6 networks and shared networks in the database. In addition, you can grant permission to specific resources, such as a specific IPv4 or IPv6 network or DHCP range, or an individual address in an IPv4 or IPv6 network. Permissions at more specific levels override global permissions.
You can also define permissions for specific DHCP objects and Grid member to restrict admins to perform only the specified DHCP tasks on the specified member. For more information, see Defining DNS and DHCP Permissions on Grid Members.
The following sections describe the different types of permissions that you can set for DHCP resources:
Administrative Permissions for Network Views
Limited-access admin groups can access network views, including the default network view, only if they have read-only or read/write permission to a specific network view or to all network views. Permissions granted to a network view apply to all its IPv4 and IPv6 networks, shared networks, DHCP ranges and fixed addresses.
You can grant admin groups read-only or read/write permission, or deny access to network views as follows:
- All network views—Global permission that applies to all network views in the database.
- A specific network view—Permission to a specific network view applies to the properties you set in the Network View editor, and to all the IPv4 and IPv6 networks and shared networks in the network view. This overrides the global permission to all network views. When you configure permissions for a network view, you can also set permissions for the following:
- All IPv4 and IPv6 networks in the selected network view—If you do not define permissions for IPv4 or IPv6 networks, they inherit the permissions of their network view.
- All IPv4 and IPv6 shared networks in a specific network view—If you do not define permissions for IPv4 or IPv6 shared networks, they inherit the permissions of their network view.
Note that you can grant an admin group read-only or read/write permission to specific IPv4 or IPv6 networks in a network view, without granting them permission to that network view. For information, see 22282411 22282411.
For information on how to define permissions for network views, see Applying Permissions and Managing Overlaps.
The following table lists the tasks admins can perform and the required permissions for network views.
Table 4.18 Network View Permissions
| All DNS Views | Specific DNS View | All Network Views | Specific Network View | All IPv4 or IPv6 Networks | All IPv4 or IPv6 Shared Networks |
|---|---|---|---|---|---|---|
Create and delete network views and their associated DNS views | RW | RW | ||||
Create and delete a network view and its associated DNS views | RW | RW | ||||
Create, modify, and delete IPv4 and IPv6 networks and shared networks in all network views | RW | |||||
Create, modify, and delete IPv4 and IPv6 networks and shared networks in a network view | RW | |||||
View the properties of all network views | RO | |||||
View network statistics of all network views | RO | |||||
View and search for all IPv4 and IPv6 networks and shared networks | RO | |||||
View the properties of a network view | RO | |||||
View and search for IPv4 and IPv6 networks and shared networks in a network view | RO | |||||
Expand and join IPv4 and IPv6 networks | RW | |||||
Expand and join IPv4 and IPv6 networks in a specific network view | RW | |||||
Create, modify, and delete IPv4 and IPv6 networks, DHCP ranges and fixed addresses in a specific network view | RW | |||||
View network statistics and properties of all networks in a network view | RO | |||||
Search for IPv4 and IPv6 networks in a network view | RO | |||||
Create, modify, and delete all IPv4 or IPv6 shared networks | RW | |||||
View the properties of all IPv4 or IPv6 shared networks | RO | |||||
View and search for IPv4 and IPv6 shared networks in a network view | RO | |||||
Restart services from the DHCP tab | RO | RW |
Administrative Permissions for IPv4 and IPv6 Networks and Shared Network s
Limited-access admin groups can access IPv4 and IPv6 networks, including shared networks, only if their administrative permissions are defined. Permissions for a network apply to all its DHCP ranges and fixed addresses. To override network-level permissions, you must define permissions for specific DHCP ranges and fixed addresses. For example, you can grant an admin group read-only permission to a network, read/write permission to its DHCP ranges, and read-only permission to its fixed addresses.
You can grant read-only or read/write permission, or deny access to networks, as foll ows:
- All IPv4 or IPv6 networks—Global permission that applies to all IPv4 or all IPv6 networks in the database.
- All IPv4 or IPv6 shared networks—Global permission that applies to all IPv4 or all IPv6 shared networks in the database.
- A specific IPv4 or IPv6 network—Network permissions apply to its properties and to all DHCP ranges, fixed addresses and hosts in the network, if they do not have permissions defined. This overrides global permissions.
- All IPv4 or IPv6 DHCP ranges in a network—If you do not define permissions for DHCP ranges, they inherit the permissions of the network in which they reside.
- All IPv4 or IPv6 fixed addresses in a network—If you do not define permissions for fixed addresses, they inherit the permissions of the network in which they reside.
To define permissions for a specific IPv4 or IPv6 network and its DHCP ranges and fixed addresses, see Applying Permissions and Managing Overlaps.
The following table lists the tasks admins can perform and the required permissions for IPv4 and IPv6 networks.
Table 4.19 Network Permissions
| Grid Member(s) | All IPv4 or IPv6 Networks | Specific IPv4 or IPv6 Network | All IPv4 or IPv6 Shared Networks | Specific DNS Zone | All IPv4 or IPv6 DHCP Ranges | All IPv4 or IPv6 Fixed Addresses | IPv4 or IPv6 Network Template |
|---|---|---|---|---|---|---|---|---|
Create, modify, and delete IPv4 or IPv6 networks, DHCP ranges, and fixed addresses without assigned Grid members | RW | |||||||
Create, modify, and delete IPv4 or IPv6 networks, DHCP ranges, and fixed addresses with assigned Grid members | RW | RW | ||||||
Assign a Grid member to a specific IPv4 or IPv6 network and its DHCP ranges | RW | RW | ||||||
Expand and join IPv4 or IPv6 networks | RW | |||||||
Create IPv4 or IPv6 networks from templates | RW | RO | ||||||
Create, modify, and delete an IPv4 or IPv6 network | RW | |||||||
View IPv4 or IPv6 network properties and statistics, and search for DHCP ranges and fixed addresses in a specific network | RO | |||||||
Create, modify, and delete IPv4 or IPv6 DHCP ranges and fixed addresses in a specific network | RW | |||||||
Create and split an IPv4 or IPv6 network and automatically create a reverse DNS zone | RW | RW | ||||||
Create, modify, and delete IPv4 or IPv6 shared networks | RW | |||||||
View IPv4 or IPv6 shared networks | RO | |||||||
Create, modify, and delete IPv4 or IPv6 DHCP ranges with an assigned member in a specific network | RW | RW | ||||||
Create, modify, and delete IPv4 or IPv6 DHCP ranges | RW | |||||||
View and search for IPv4 or IPv6 DHCP ranges in a specific network | RO | |||||||
Create, modify, and delete IPv4 or IPv6 fixed addresses | RW | |||||||
View and search for IPv4 or IPv6 fixed addresses in a specific network | RO |
Administrative Permissions for IPv4 or IPv6 Fixed Addresses and IPv4 Reservations
IPv4 and IPv6 fixed addresses and IPv4 reservations inherit the permissions of the networks in which they reside. You can override network-level permissions by defining permissions for fixed addresses.
You can grant read-only or read-write permission, or deny access to fixed addresses, as follows:
- All IPv4 fixed addresses/reservations—Global permission that applies to all IPv4 fixed addresses and reservations in the database.
- All IPv6 fixed addresses—Global permission that applies to all IPv6 fixed addresses in the database.
- All IPv4 fixed addresses/reservations in a network— Permissions at this level override global permissions. If you do not define permissions for fixed addresses and reservations, they inherit the permissions of the network in which they reside.
- All IPv6 fixed addresses in a network— Permissions at this level override global permissions. If you do not define permissions for IPv6 fixed addresses, they inherit the permissions of the network in which they reside.
- A single IPv4 fixed address/reservation—Overrides global and network-level permissions.
- A single IPv6 fixed address—Overrides global and network-level permissions.
For information on setting permissions for fixed addresses, see Applying Permissions and Managing Overlaps.
The following table lists the tasks admins can perform and the required permissions for IPv4 and IPv6 fixed addresses.
Table 4.20 Permissions for Fixed Addresses/Reservations
| Specific IPv4 or IPv6 Network | All IPv4 or IPv6 fixed Addresses/ IPv4 Reservations | Specific IPv4 or IPv6 Fixed Address/ IPv4 Reservation |
|---|---|---|---|
Create, modify, and delete IPv4 fixed addresses/reservations or IPv6 fixed addresses | RW | ||
Create, modify, and delete IPv4 fixed addresses/reservations or IPv6 fixed addresses in a specific network | RW | ||
Modify and delete an IPv4 fixed address/reservation or IPv6 fixed address | RW | ||
View and search for all IPv4 fixed addresses/reservations or IPv6 fixed addresses | RO | ||
View and search for IPv4 fixed addresses/reservations or IPv6 fixed addresses in a network | RO | RO | |
View and search for an IPv4 fixed address/reservation or IPv6 fixed address | RO |
Administrative Permissions for IPv4 or IPv6 DHCP Enabled Host Addresses
A read-write permission to IPv4 or IPv6 Host Address gives limited-access users the ability to create, modify, and delete IPv4 and IPv6 DHCP enabled host addresses in a specified network. Admin users with a read-write permission can create, modify, and delete IPv4 or IPv6 DHCP enabled host addresses only in the specified network. They do not have the ability to create, modify or delete any networks or objects, such as fixed addresses, in those networks.
You can also grant admin users read-only permission or deny access to the following:
- IPv4 Host Address—Object permission that applies to all IPv4 DHCP enabled host addresses in a specified network.
- IPv6 Host Address—Object permission that applies to all IPv6 DHCP enabled host addresses in a specified network.
For information about setting permissions for DHCP enabled host addresses, see Applying Permissions and Managing Overlaps.
The following table lists tasks that admins can perform and the required permissions for IPv4 and IPv6 DHCP enabled host addresses.
Table 4.21 Permissions for DHCP Enabled Host Addresses
| Specific IPv4 or IPv6 Network | All IPv4 or IPv6 DHCP enabled host Addresses |
|---|---|---|
Create, modify, and delete IPv4 or IPv6 DHCP enabled host addresses in a specified network | RW | |
Modify and delete a specific IPv4 or IPv6 DHCP enabled host address | RW | |
View and search for all IPv4 or IPv6 DHCP enabled host addresses | RO | |
View and search for IPv4 or IPv6 DHCP enabled host addresses in a specified network | RO |
Administrative Permissions for IPv4 and IPv6 DHCP Ranges
DHCP ranges inherit the permissions of the networks in which they reside. You can override network-level permissions by defining permissions for DHCP ranges. You can read-only or read/write permission, or deny access to DHCP address ranges, as follows:
- All IPv4 or IPv6 DHCP ranges—Global permission that applies to all IPv4 or IPv6 DHCP ranges in the database.
- All IPv4 or IPv6 DHCP ranges in a network—Permissions at this level override global permissions. If you do not define permissions for DHCP ranges, they inherit the permissions of the network in which they reside.
- A single IPv4 or IPv6 DHCP range—Overrides global and network-level permissions.
For information on setting permissions for DHCP ranges, see Applying Permissions and Managing Overlaps. The following table lists the tasks admin can perform and the required permissions for DHCP ranges.
Table 4.22 DHCP Ranges
Tasks | Grid Member(s) | Specific IPv4 or IPv6 Network | All DHCP IPv4 or IPv6 Ranges | Specific IPv4 or IPv6 DHCP Range | MAC Address Filter |
|---|---|---|---|---|---|
Create, modify, and delete IPv4 or IPv6 DHCP ranges with an assigned member or a failover association | RW | RW | |||
Create, modify, and delete IPv4 or IPv6 DHCP ranges in a network with assigned members | RW | RW | |||
Modify and delete an IPv4 or IPv6 DHCP range with an assigned member | RW | RW | |||
View and search for all IPv4 or IPv6 DHCP ranges with an assigned member | RO | RO | |||
View and search for IPv4 or IPv6 DHCP ranges in a network with assigned members | RO | RO | |||
View and search for an IPv4 or IPv6 DHCP range with an assigned member | RO | RO | |||
View and search for an IPv4 or IPv6 DHCP range without an assigned member | RO | ||||
Apply relay agent and option filters to an IPv4 DHCP range | RW | ||||
Apply a MAC address filter to an IPv4 DHCP range | RW | RO |
Administrative Permissions for IPv4 or IPv6 DHCP Templates
There are three types of DHCP templates for IPv4 and IPv6 objects—network, DHCP range, and fixed address/reservation templates. To access any of these templates, a limited-access admin group must have read-only permission to the template. Limited-access admin groups cannot have read/write permission to the templates. Only superusers can create, modify and delete network, DHCP range, and fixed address templates. An admin group with read-only permission to the DHCP templates can view them and use them to create networks, DHCP ranges and fixed addresses, as long as they have read/write permissions to those DHCP resources as well.
You can set global read-only permission that applies to all DHCP templates, and you can set permissions to specific templates as well.
For information on setting permissions, see Applying Permissions and Managing Overlaps. The following table lists the tasks admins can perform and the required permissions for DHCP templates.
Table 4.23 Permissions for DHCP Templates
Tasks | IPv4 or IPv6 DHCP Templates | All IPv4 or IPv6 Networks | All IPv4 or IPv6 DHCP Ranges | All IPv4 or IPv6 Fixed Addresses/ IPv4 Reservations |
|---|---|---|---|---|
Create IPv4 or IPv6 networks from templates | RO | RW | ||
Create IPv4 or IPv6 DHCP ranges from templates | RO | RW | ||
Create IPv4 fixed addresses/reservations or IPv6 fixed addresses from templates | RO | RW | ||
View templates | RO |
Note the following additional guidelines:
- DHCP range templates and fixed address templates do not inherit their permissions from network templates. You must set permissions for each type of template.
- An admin group can create a network using a network template that includes a DHCP range template and a fixed address template, even if it has no permission to access the DHCP range and fixed address templates.
Administrative Permissions for Roaming Hosts
Limited-access admin groups can access roaming hosts only if their administrative permissions are defined. The appliance denies access to roaming hosts for which an admin group does not have defined permissions.
You can grant read-only or read/write permission, or deny access to roaming hosts as follows:
- All roaming hosts in the database—Global permission that applies to all the roaming hosts in the database.
- A specific roaming host—Permissions that applies to specific roaming host.
For information on setting permissions, see Applying Permissions and Managing Overlaps. The following table lists the tasks admins can perform and the required permissions for roaming host.
Table 4.24 Permissions for Roaming Hosts
Tasks | Grid DHCP Properties | Specific IPv4 or IPv6 Roaming Host | All Roaming Host |
|---|---|---|---|
Enable roaming hosts | RW | ||
View roaming host | RO | RO | RO |
Create, modify, and delete roaming hosts | RO | RW | |
Modify and delete roaming host | RO | RW |
Administrative Permissions for MAC Address Filters
Limited-access admin groups can access MAC address filters only if their administrative permissions are defined. The appliance denies access to MAC address filters for which an admin group does not have defined permissions.
You can grant read-only or read/write permission, or deny access to MAC address filters as follows:
- All MAC address filters in the database
- A specific MAC address filter
For information on setting permissions, see Applying Permissions and Managing Overlaps. The following table lists the tasks admins can perform and the required permissions for MAC address filters.
Table 4.25 Permissions for MAC Filters
Tasks | All MAC Address Filters | Specific MAC Address Filter | Specific IPv4 DHCP Ranges |
|---|---|---|---|
Create, modify, and delete MAC address filters | RW | ||
Create, modify, and delete MAC address entries for a MAC address filter | RW | ||
Modify and delete a MAC address filter | RW | ||
Apply a MAC address filter to an IPv4 DHCP range | RO | RW | |
Delete a MAC address filter from an IPv4 DHCP range | RO | RW | |
View MAC address filters and their MAC address entries | RO | ||
View a MAC address filter and its MAC address entries | RO |
Administrative Permissions for the IPv4 and IPv6 DHCP Lease Histories
A limited-access admin group can view and export the IPv4 and IPv6 DHCP lease histories if it has read-only permission to the IPv4 and IPv6 DHCP lease history. Permissions to the IPv4 and IPv6 DHCP lease histories are different from the network permissions. Therefore, an admin group can access the IPv4 and IPv6 DHCP lease histories, regardless of its network permissions. Note that only superusers can import a DHCP lease history file.
To define permissions for the IPv4 and IPv6 DHCP lease histories:
- For an admin group: From the Administration tab, select the Administrators tab -> Permissions tab -> admin_group in the Groups table, and then click the Add icon -> Global Permissions from the Create New Permission area or select Add -> Global Permissions from the Toolbar.
or
For an admin role: From the Administration tab, select the Administrators tab -> Permissions tab -> admin_role in the Roles table, and then click Add icon -> Global Permissions from the Create New Permission area or select Add -> Global Permissions from the Toolbar. - Complete the following in the Manage Global Permissions dialog box:
- Permission Type: Select DHCP Permissions from the drop-down list.
- In the table, select Read/Write, Read-only, or Deny for All IPv4 DHCP Lease History and All IPv6 DHCP Lease History.
- Save the configuration and click Restart if it appears at the top of the screen.