By default, the Grid Master denies access to Grid members when a limited-access admin group does not have defined permissions. You can grant an admin group read-only or read/write permission, or deny access to all Grid members or you can grant permission to specific Grid members, as described in Applying Permissions and Managing Overlaps.

Note: Only superusers can modify DNS and DHCP Grid properties.

The following sections describe the types of permissions that you can set with Grid permissions:

Administrative Permissions for Grid Members
22282415 lists the tasks admins can perform and the required permissions for Grid members.

Table 4.8 Grid Member Permissions

Tasks	Grid Member(s)	Member DNS Properties	Member DHCP Properties	Restart Member DNS	Restart Member DHCP	DNS Views	DNS Zones	Networks	DHCP Ranges
Assign member to DNS zones				RW			RW
Assign member to networks					RW			RW
Assign member to DHCP ranges									RW
Configure member properties	RW
Add a member to a Match Members list of a DNS view	RW
Delete a view with members in a Match Members list						RO
View DNS and DHCP member properties		RO	RO
View and download syslog	RO
View DNS and DHCP configuration file		RO	RO
View network statistics	RO
Restart DNS service on the member				RW
Restart DHCP service on the member					RW

Administrative Permissions for Network Discovery
Limited-access admin groups can initiate a discovery and manage discovered data based on their administrative permissions.
You can set global permissions for network discovery as described in Defining Global Permissions. The following table lists the tasks admins can perform and the required permissions for network discovery.
Table 4.9 Permissions for Network Discovery

Tasks	Network Discovery	DNS Zones	Networks Selected for Discovery	Port Control
Initiate and control a discovery on selected networks	RW		RW
View discovered data			RO
Add unmanaged data to existing hosts, and resolve conflicting IP addresses			RW
Convert unmanaged data to a host, fixed address, reservation, A record, or PTR record		RW	RW
Configure device interfaces, provision networks on interfaces, de-provision networks	RW			RW

Administrative Permissions for Scheduling Tasks
You can schedule tasks, such as adding hosts or modifying fixed addresses, for a future date and time. To schedule tasks, you must first enable the scheduling feature at the Grid level, and then define administrative permissions for admin groups and admin roles. For information, see Scheduling Tasks. Only superusers can enable and disable this feature and grant scheduling permissions to admin groups. Limited-access admin groups can schedule tasks only when they have scheduling permissions.
Superusers can do the following:

Enable and disable task scheduling at the Grid level
Grant and deny scheduling permissions to admin groups and admin roles
Schedule tasks for all supported object types
Reschedule and delete any scheduled task

You can set global permissions to schedule tasks as described in Defining Global Permissions . The following table lists the tasks admins can perform and the required permissions. Users with read/write permission to scheduling can view, reschedule, and delete their own scheduled tasks.
Table 4.10 Scheduling Task Permissions

Tasks	Scheduling Task	All Networks	All DNS Views	All Shared Record Groups
Schedule the addition, modification, and deletion of all supported object types	RW	RW	RW	RW
View, reschedule, and delete scheduled tasks	RW	RW	RW	RW
Convert unmanaged data to a host, fixed address, reservation, A record, or PTR record	RW	RW	RW

To schedule tasks for specific resources, admins must have Read/Write permission to scheduling tasks, plus the required permissions to the supported resources. For information about permissions for specific resources, see the following:

Grid members—See Administrative Permission for the Grid.
DNS resources—See 22282415.
DHCP resources—See Administrative Permissions for DHCP Resources.

Note that the appliance deletes all pending scheduled tasks when superusers disable task scheduling at the Grid level. The appliance deletes an admin's scheduled tasks when superusers do the following:

Set the scheduling permission of admin groups and roles to "Deny"
Delete or disable an admin group or an admin role
Delete or disable local admins
Delete the scheduling permission from any admin group or admin role that contains users with pending scheduled tasks
Change the admin group of a limited-access admin

Administrative Permissions for Microsoft Servers

By default, only superusers can add Microsoft servers as managed servers to the Grid. Limited-access admins can add and manage Microsoft servers from the Grid based on their administrative permissions.
The following table lists the tasks admins can perform and the required permissions. Note that only superusers can add a Microsoft server to a name server group.

Table 4.11 Microsoft Server Permissions

Tasks	Microsoft Server(s)	Grid Member(s)	Network Views	DNS Views	DNS Zones	Resource Records	Networks	DHCP Ranges	Superscopes
Assign Microsoft server to member	RW	RW
Assign a network view to the Microsoft server	RW	RW	RW
Assign a DNS view to the Microsoft server	RW	RW		RW
Assign Microsoft server as primary or secondary to DNS zones	RW			RW	RW
Remove a Microsoft server as the primary or secondary server of a zone					RW
Remove a zone from a Microsoft server					RW
Edit zones and resource records of Microsoft servers					RW	RW
Assign a Microsoft server to a network	RW						RW
Assign a Microsoft server to a DHCP range	RW							RW
Remove a network served by a Microsoft server	RW						RW
Remove a DHCP range (scope) from a Microsoft server							RW	RW
Add, modify and remove Microsoft superscopes	RW							RW	RW
Clear leases from Microsoft server	RW							RW
Edit Microsoft server properties	RW
View Microsoft server properties	RO
View and download Microsoft logs	RO
Start/Stop DNS or DHCP on the Microsoft server	RW
Remove a Microsoft server from the Grid	RW

Administrative Permissions for IPAM Resources
Limited-access admin groups can access certain IPAM resources only if their administrative permissions are defined. By default, the appliance denies access when a limited-access admin group does not have defined permissions. You can grant admin groups read-only or read/write permission, or deny access to the following IPAM resources:

Network views
IPv4 networks
IPv6 networks
Hosts

The appliance applies permissions for IPAM resources hierarchically. Permissions to a network view apply to all networks and resources in that view. You can also grant an admin group broad permissions to IPAM resources, such as read/write permission to all IPv4 networks and IPv6 networks in the database. In addition, you can grant permission to a specific host in a network. Permissions at more specific levels override global permissions.
The following sections describe the types of permissions that you can set for IPAM resources:

Administrative Permissions for IPv4 and IPv6 Networks

Limited-access admin groups can access IPv4 and IPv6 networks only if their administrative permissions are defined. Permissions for a network apply to all its DNS and DHCP resources, if configured. To override network-level permissions, you must define permissions for specific objects within the networks. You can also define permissions for specific DHCP objects and Grid member to restrict admins to perform only the specified DHCP tasks on the specified member. For more information, see Defining DNS and DHCP Permissions on Grid Members.
You can grant read-only or read/write permission, or deny access to networks, as follows:

All IPv4 or IPv6 networks—Global permission that applies to all networks in the database.
A specific network—Network permissions apply to all objects in the network. This overrides global permissions.
A specific network on a specific member—Network permissions apply to all objects in the network and member permissions apply to the specific member. For information about member permissions, see Modifying Permissions on a Grid Member.

Administrative Permissions for Hosts

A host record can contain both DNS and DHCP attributes if you configure them. When applying administrative permissions to host records, the permissions apply to all relevant DNS and DHCP resources within the host records. You can define global permissions to all hosts. To override global permissions, you must define permissions for specific hosts.
You can grant read-only or read/write permission, or deny access to host records, as follows:

All hosts—Global permission that applies to all host records in the Grid.
A specific host—Object permission that applies only to a selected host.

Administrative Permissions for DHCP Fingerprint Permissions

NIOS provides a global permission for all All DHCP Fingerprints; however, it does not support object level permissions for fingerprints. To use fingerprint filters, you must have superuser privileges.

Administrative Permissions for Network Insight Tasks

22282415 summarizes the permissions you need to perform various tasks related to device discovery.
Table 4.12 Permissions for Network Discovery

Tasks	Network Discovery	DNS Zones	Networks Selected for Discovery	Port Control	All Network Views/ All IPv4 Networks/ All IPv6 Networks	Permissions for Object
Initiate and control a discovery on selected networks	RW		RW
View discovered data			RO
Resolve conflicting IP addresses			RW
Convert unmanaged objects to a host, fixed address, reservation, A record, or PTR record		RW	RW
Configure device interfaces, provision networks on interfaces	RW			RW
Configure a Blackout schedule for networks or DHCP ranges	RW				RO
Creating/editing port reservations for a Grid member, host, fixed address, reservation, A record, or PTR record				RW		RO

NIOS Admin Guide

Administrative Permission for the Grid

Administrative Permissions for Microsoft Servers

Administrative Permissions for IPv4 and IPv6 Networks

Administrative Permissions for Hosts

Administrative Permissions for DHCP Fingerprint Permissions

Administrative Permissions for Network Insight Tasks