You can assign permissions to admin roles which you then assign to admin groups, or you can assign permissions directly to an admin group. The following are permissions you can grant admin groups and roles:

• Read/Write (RW): Allows admins to add, modify, delete, view, and search for a resource.
• Read-Only (RO): Allows admins to view and search for a resource. Admins cannot add, modify, or delete the resource.
• Deny: Prevents admins from adding, modifying, deleting, and viewing a resource. This is the default permission level for all resources.

By default, the superuser group (admin-group) has full access to all resources on the appliance. Superusers can create limited-access admin groups and grant them permissions to resources at the global and object levels.
Limited-access admin groups must have either read-only or read/write permissions assigned in order to view information or perform tasks on any supported objects.
When you assign permissions at the global level, the permissions apply to all objects that belong to the specified resource. For example, when you define a read/write permission to all DHCP networks, the permission applies to all DHCP ranges and fixed addresses in the networks. For information about global permissions, see bookmark411 bookmark411.
You can also define permissions at a more granular level, such as for a specific Grid member, DNS zone, Response Policy Zone, network, and even an individual database object, such as a resource record or fixed address. When you define a permission at the object level, admins with this permission can only manage the specified object and its associated objects. For information about object permissions, see bookmark415.
You can use global and object permissions to restrict admins to specific DNS and DHCP resources on specific Grid members by assigning the appropriate permissions. You can use this feature to separate DNS and DHCP administration on selected Grid members. For more information, see bookmark419 bookmark419.
You can configure global permissions, object permissions, and member DNS and DHCP permissions for default and custom admin groups and roles. You cannot however define permissions for the factory default roles, such as DHCP Admin.
The appliance supports the following permissions:

• Grid permissions: Includes Grid DNS properties, Grid DHCP properties, all Grid members, Microsoft servers that are managed by the Grid, network discovery, task scheduling, CSV imports, and all dashboard tasks.
• IPAM permissions: Includes network views, IPv4 and IPv6 networks, and host records.
• DHCP permissions: Includes Grid DHCP properties, network views, IPv4 networks, host records, DHCP ranges, DHCP fixed addresses/reservations, DHCP enabled host addresses, Mac filters, shared networks, DHCP templates, lease history, and roaming hosts.
• DNS permissions: Includes Grid DNS properties, DNS views, DNS zones, Response Policy Zones, host records, bulk hosts, all DNS resource records, all shared records, and adding a blank A/AAAA record.
• File distribution permissions: Includes Grid-level file distribution properties.
• Reporting permissions: Includes Grid-level reporting properties.
• Administration permissions: Includes all certificate authentication services, CA certificates and object change tracking.
• GLB (Global Load Balancer) permissions: Includes all NIOS managed GLB objects.
• DHCP fingerprint permissions: Includes all DHCP fingerprint related objects.
• Named ACL permissions: Includes all named ACLs (access control lists).
• Cloud permissions: Includes all tenant objects.

NIOS applies permissions hierarchically in a parent-child structure. When you define permissions for a resource, all objects within that resource inherit the same permissions. For example, when you grant an admin group read/write permission for a network, the admin group automatically has read/write permission for objects in that network. To override permissions set at a higher level, you define permissions at a more specific level. For example, you can override the read/write network-level permission by setting read-only or deny permission for a fixed address or a DHCP-enabled host address. To define permissions for a more specific level, see the following:

• Permissions for common tasks, as described in Administrative Permissions for Common Tasks.
• Permissions for the Grid and Grid members, as described in Administrative Permission for the Grid.
• Permissions for IPAM resources, such as IPv6 networks, as described in Administrative Permissions for IPAM Resources.
• Permissions for DNS resources, such as DNS views and A records, as described in Administrative Permissions for DNS Resources.
• Permissions for DNS resource with associated IP addresses in networks and ranges, as described in Administrative Permissions for DNS Resources with Associated IP addresses in Networks and Ranges.
• Permissions for DHCP resources, such as network views and fixed addresses, as described in Administrative Permissions for DHCP Resources.
• Permissions for file distribution services, as described in Administrative Permissions for File Distribution Services.
• Permissions for certificate authentication services and CA certificates, as described in Administrative Permissions for Certificate Authentication Services and CA Certificates.
• Permissions for object change tracking, as described in Administrative Permissions for Object Change Tracking
• Permissions for GLB and GLB objects, as described in Administrative Permissions for Load Balancers.
• Permissions for Cloud objects, as described in Administrative Permissions for Cloud Objects.

When you set permissions that overlap with existing permissions, Grid Manager displays a warning about the overlaps. You can view detailed information and find out which permissions the appliance uses and which ones it ignores. For information, see bookmark423.

Defining Global Permissions

You can define permissions at a global level for an admin group or admin role. To define global permissions:

1. For an admin group: From the Administration tab, select the Administrators tab -> Permissions tab -> admin_group in the Groups table, and then click the Add icon -> Global Permissions from the Create New Permission area or select Add -> Global Permissions from the Toolbar.
   or
   For an admin role: From the Administration tab, select the Administrators tab -> Permissions tab -> admin_role in the Roles table, and then click Add icon -> Global Permissions from the Create New Permission area or select Add -> Global Permissions from the Toolbar.
2. Grid Manager displays the Manage Global Permissions editor. For an admin group, the appliance displays the selected admin group in the Group Permission field. For an admin role, the appliance displays the selected admin role in the Role Permission field. You can also select a different group or role from the drop-down list.
3. Select the resources that you want to configure from the Permission Type drop-down list. Depending on your selection, Grid Manager displays the corresponding resources for the selected permission type in the table.
4. Select Read/Write, Read-Only, or Deny for the resources you want to configure. By default, the appliance denies access to resources if you do not specifically configure them.
5. Optionally, select additional resources from the Permission Type drop-down list. Grid Manager appends the new resources to the ones that you have already configured. Define the permissions for the resources you select.
6. Save the configuration and click Restart if it appears at the top of the screen.

Table 4.2 lists global permissions you can assign to admin groups or admin roles:

Table 4.2 Global Permissions

Defining Object Permissions

You can add permissions to specific objects for selected admin groups or roles. When you add permissions to objects, you can select multiple objects with the same or different object types. When you select multiple objects with the same object type, you can apply permissions to the selected objects as well as the sub object types that are contained in the selected objects. As described in Figure 4.2, when you select five DNS forward-mapping authoritative zones, the appliance displays the object type "AuthZone" for all the zones. Since all five DNS zones are of the same object type, you can also apply permissions to all the resource records in these zones. The appliance displays the resources in the resource section of the Create Object Permissions editor. You can choose one or more of the resources to which you want to apply permissions.
In Cloud Network Automation, admin groups and admin users who have cloud API access have full permissions to delegated. However, you must specifically assign permissions for objects that have not been delegated in order for any admin groups or admin users to gain permission to these objects. Therefore, an admin group that has access to the cloud API would have full permissions to all delegated objects but limited permissions to non-delegated objects.
For information about how to allow cloud API access to an admin group, see Creating Limited-Access Admin Groups. For information about guidelines for authority delegation, see About Authority Delegation.
Figure 4.2 Selecting Multiple Objects with the Same Object Type

When you select multiple objects with more than one object type, you can add permissions to the selected objects as well as to the sub object types that are common among the selected objects. For example, when you select three DNS forward-mapping authoritative zones and two DNS IPv4 reverse-mapping authoritative zones as illustrated in Figure 4.3, you can apply permissions to all the five DNS zones as well as to the CNAME, DNAME, and host records in these zones because CNAME, DNAME, and host records are the common sub object types in these zones.

Figure 4.3 Multiple Objects with Common Sub Object Types
When you select three DNS forward-mapping authoritative zones and two IPv4 reverse-mapping authoritative zones, you can apply object permissions to all the DNS zones as well as the CNAME, DNAME and Host records in these DNS zones.

To define object permissions for an admin group or role:

1. For an admin group: From the Administration tab, select the Administrators tab -> Permissions tab -> admin_group in the Groups table, and then click the Add icon -> Object Permissions from the Create New Permission area or select Add -> Object Permissions from the Toolbar.
   or
   For an admin role: From the Administration tab, select the Administrators tab -> Permissions tab -> admin_role in the Roles table, and then click Add icon -> Object Permissions from the Create New Permission area or select Add -> Object Permissions from the Toolbar.
2. Grid Manager displays the Create Object Permissions wizard. For an admin group, the appliance displays the selected group in the Group Permission field. For an admin role, the appliance displays the selected admin role in the Role Permission field. You can also select a different group or role from the drop-down list.
3. Click Select Object(s). Grid Manager displays the Object Selector dialog box.
4. In the Object Selector dialog box, complete the following:
   • Enter a value or partial value of an object in the first field. This field is not case-sensitive. For example, if the object to which you want to define permissions contains "Infoblox", enter Infoblox here.
   • Select the object type for which you are searching in the Type drop-down list. By default, the appliance searches all object types.
   • In the operator drop-down list, select an operator for the filter criteria. Depending on what you select in the first filter field, this list displays the relevant operators for the selection.
   • In the value field, enter or select the attribute value for the first filter field. Depending on what you select for the first two filter fields, you can either enter a value or select a value from a drop-down list.
5. Click Search. The appliance lists all matching objects in the table. You can select multiple object types by clicking the Add icon to add more filter criteria. You can also click Reset to clear all entries.
6. Select the check boxes of the objects to which you are defining permissions, and then click the Select icon.
7. In the Create Object Permissions wizard, do the following:
   • Object: Displays the name of the selected object. When you select multiple objects, the appliance displays Multiple here. Mouse over to the information icon to view the list of objects to which you are defining permissions.
   • Object Type: Displays the object type of the selected object. When you select more than one object type, the appliance displays Multiple here.
   • Resource: Displays the selected objects. When you select more than one object type, the appliance displays Multiple Selected Objects here. Mouse over to the information icon to view the list of objects to which you are defining permissions. Grant the resources an appropriate permission: Read/Write, Read Only, or Deny.
8. Save the configuration and click Restart if it appears at the top of the screen.

Grid Manager displays a warning message when the permissions you define here overlap with other permissions in the system. Click See Conflicts to view the overlapping permissions in the Permissions Conflict dialog box. For information, see Applying Permissions and Managing Overlaps
You can also set permissions for specific objects from the objects themselves. For example, to define permissions for a particular Grid member, navigate to that Grid member and define its permissions.
To define the permissions of a specific object:

1. Navigate to the object. For example, to define permissions for a particular network, from the Data Management tab, select the IPAM tab -> network check box, and then click the Edit icon.
2. In the editor, select the Permissions tab, and then do one of the following:
   • Click the Add icon to add permission to the object. In the Admin Group/Role Selector dialog box, select an admin group or role to which you want to assign the permission, and then click the Select icon.
   • Modify the permission and resource type of a selected admin group or role.
   • Select an admin group or role and click the Delete icon to delete it.
3. Save the configuration and click Restart if it appears at the top of the screen.

Defining DNS and DHCP Permissions on Grid Members

You can restrict certain admin groups or roles to perform specific DNS and DHCP tasks on specific Grid members by assigning the correct global and object permissions. You can use this feature to separate the DNS and DHCP administration on different Grid members. For example, you can create an admin group or role that can only create, modify, and delete DHCP ranges in a specific network on a specific member in the Grid. This admin group or role is restricted to the specified tasks on the selected Grid member. It cannot perform other DNS or DHCP tasks on this member, and it cannot perform the specified tasks on other Grid members.
For example, you can define permissions that allow admins to create, modify, and delete DHCP ranges in network 10.0.0.0/8 on Grid member "sales.infoblox.com" by granting read/write object permissions to all DHCP ranges, network 10.0.0./8, and member DHCP on sales.infoblox.com. Admins with these permissions can only add, modify, and delete DHCP ranges in network 10.0.0.0/8 on Grid member sales.infoblox.com. They cannot perform other DHCP or DNS tasks on the member, and they cannot perform these tasks on other Grid members.
For information about required permissions for specific DNS and DHCP tasks, see Administrative Permissions for Common Tasks.
You can define the following DNS and DHCP permissions for an admin group or role:

• Grid DNS or Grid DHCP: Admins with read/write permissions can manage any DNS or DHCP resources on any Grid members. They can also modify Grid DNS or Grid DHCP properties and any member DNS and member DHCP properties. Admins with read-only permissions can only view DNS or DHCP resources. They cannot modify any DNS or DHCP resources or restart related services.
• Member DNS or Member DHCP: Admins with read/write permissions can perform the defined DNS or DHCP tasks only on the specified Grid member, not any other members. They can also modify DNS or DHCP properties on the specified member. Admins with read-only permission cannot assign the Grid member to any DNS or DHCP resources.
• Restart DNS or Restart DHCP on member: Admins with read/write permissions can restart the DNS or DHCP service on the specified Grid member, not any other members. However, they cannot modify DNS or DHCP properties on the member. They can assign the specified Grid member to any DNS or DHCP resources, but they cannot assign any other Grid members to DNS or DHCP resources.

To specify member DNS and DHCP permissions, define DNS or DHCP permissions at the global or object level for an admin group or admin role, as described in Defining Global Permissions and Defining Object Permissions. Ensure that you include the Grid member object to which you want to restrict DNS or DHCP administration. You can assign valid permissions to administrators to manage kerberos keys. For more information, see Admin Permissions for Configuring GSS-TSIG keys.
You can also control whether the admins can modify DNS or DHCP properties on a member, as described in Modifying Permissions on a Grid Member.

Modifying Permissions on a Grid Member

Admins can perform different tasks on a Grid member based on the permissions they have. Table 4.3 outlines the permissions and the tasks admins can perform on a Grid member:
Table 4.3 Member Permissions and Tasks

After you add permissions to an admin group or role for a specific Grid member, you can modify the member permissions and resources. Note that when you modify the member permissions and resources, the appliance updates the permissions of the admin group or role accordingly.
To modify Grid member permissions:

1. From the Data Management tab, select the DHCP or DNS tab -> Members tab -> Grid_member, and then click the Edit icon.
2. In the Member DHCP Properties or Member DNS Properties editor, select the Permissions tab.
3. Click a permission in the Permissions table, select a different permission from the Permissions drop-down list or select a different resource from the Resources drop-down list. Note that when you select Restart DNS or Restart DHCP, the admins with this permission can only restart the DNS or DHCP service on the selected member. They cannot modify DNS or DHCP properties of this member.
4. Save the configuration. Note that the appliance automatically updates the permissions of the corresponding admin group or role in the Administration tab.

Applying Permissions and Managing Overlaps

When an admin tries to access an object, the appliance checks the permissions of the group to which the admin belongs. Because permissions at more specific levels override those set at a higher level, the appliance checks object permissions hierarchically—from the most to the least specific. In addition, if the admin group has permissions assigned directly to it and permissions inherited from its assigned roles, the appliance checks the permissions in the following order:

1. Permissions assigned directly to the admin group.
2. Permissions inherited from admin roles in the order they are listed in the Roles tab of the Admin Group editor.

For example, an admin from the DNS1 admin group tries to access the a1.test.com A record in the test.com zone in the Infoblox default view. The appliance first checks if the DNS1 admin group has a permission defined for the a1.test.com A record. If there is none, then the appliance checks the roles assigned to DNS1. If there is no permission defined for the a1.test.com A record, the appliance continues checking for permissions in the order listed in Table 4.4. The appliance uses the first permission it finds.
Table 4.4 Permission Checking

An admin group that is assigned multiple roles and permissions can have overlaps among the different permissions. As stated earlier, the appliance uses the first permission it finds and ignores the others. For example, as shown in Table 4.5, if an admin group has read/write permission to all A records in the test.com zone and a role assigned to it is denied permission to test.com, the appliance provides read/write access to A records in the test.com zone, but denies access to the test.com zone and all its other resource records.
Table 4.5 Directly-Assigned Permissions and Roles

If the group has multiple roles, the appliance applies the permissions in the order the roles are listed. If there are overlaps in the permissions among the roles, the appliance uses the permission from the role that is listed first. For example, as shown in Table 4.6, the first role assigned to the admin group has read-only permission to all A records in the test.com zone and the second role has read/write permission to the same records. The appliance applies the permission from the first admin role.
Table 4.6 Multiple Roles

You can check for overlapped permissions when you add permissions to roles and to admin groups, and when you assign roles to an admin group. When you create a permission that overlaps with existing permissions, Grid Manager displays a warning message and the SeeConflicts link on which you click to view the overlapped permissions. For information, see Viewing Overlapping Permissions. You can also use the quick filter Overlaps to filter overlapped permissions, the appliance lists permissions that overlap with other permissions. If you want to change the permission the appliance uses, you must change the order in which the roles are listed or change the permissions that are directly assigned to the admin group. For information, see Creating Limited-Access Admin Groups.
Viewing Overlapping Permissions
When you click See Conflicts to view overlapping permissions, Grid Manager displays the following information in the Permission Overlap dialog box:

1. Resource: The name of the object or resource.
2. Type: The object type.
3. Permission: The permission granted. This can be Read/Write, Read-Only, or Deny.
4. Inherited From: Indicates the source from which the permission is inherited.
5. Conflict Status: Indicates whether the permission is being used or ignored. In a permission overlap, the group permission always overrides the role permission if both permissions are set at the same level (global or object). However, if the permissions are set at different levels, the permission at a more specific level overrides that set at a higher level.
6. Role/Group Name: The name of the admin group or admin role.

You can click the arrow key next to the resource to view the permission that is being ignored in the overlap.

Managing Permissions

After you define permissions for an admin group and role, you can do the following:

• View the permissions, as described in Viewing Permissions.
• Modify the permissions, as described in Modifying Permissions
• Delete the permission, as described in Deleting Permissions.

Viewing Permissions

Only superusers can view the permissions of all admin groups.
To view the permissions of an admin group or role:

1. From the Administration tab, select the Administrators tab -> Permissions tab.
2. For an admin group: Select an admin group in the Groups table.
   or
   For an admin role: Select an admin role in the Roles table.
3. Grid Manager displays the following information in the Permissions table:

• Group/Role: The name of the admin group or role.
• Permission Type: The type of permissions. This can be Administration Permissions, Analytics Permissions, Cloud Permissions, Named ACL Permissions, DHCP Permissions, DNS Permissions, File Distribution Permissions, Grid Permissions, IPAM Permissions, Reporting Permissions, or Security Permissions.
• Resource: The name of the object. For example, this field displays All Hosts if you have defined permissions for all the hosts in the Grid.
• Resource Type: The object type. For example, this can be Host, PTR record, or Shared Network.
• Permission: The defined permission for the resource.

When you click Show All for Admins, Groups, and Roles, Grid Manager displays all the admin accounts, admin groups, and admin roles in their respective tables.

Filtering the List of Permissions

You can filter the permissions you want to view by selecting one of the following from the quick filter menu:

• Effective Permissions: Select to view only the permissions that the appliance is using for this group. The permissions that were ignored due to overlaps are not listed in this view.
• Overlaps: Select to view only the overlapped permissions.
• All Configured Permissions: Select to view all permissions.

Modifying Permissions

You can modify the permissions of user-defined admin roles and admin groups. You cannot modify the permissions of system-defined admin roles. When you change the permissions of a role that has been assigned to multiple admin groups, the appliance automatically applies the change to the role in all admin groups to which it is assigned.
To modify the existing permissions of a role or an admin group:

1. From the Administration tab, select the Administrators tab -> Permissions tab.
2. For an admin group: Select an admin group in the Groups table. or
3. For an admin role: Select an admin role in the Roles table.
4. In the Permissions table, select the resource that you want to modify, and then click the Edit icon.
5. In the Mange Global Permissions or Create Object permissions editor, select the new permission: Read/Write, Read-Only or Deny for the resource.
6. Save the configuration and click Restart if it appears at the top of the screen.

Deleting Permissions

You can remove permissions from user-defined admin roles and admin groups. You cannot remove permissions from system-defined admin roles. When you remove permissions from a role, they are removed from the role in all admin groups to which the role is assigned. You can remove a permission from a group as long as it is not inherited from a role. You cannot remove permissions that are inherited from a role.
To delete a permission:

1. From the Administration tab, select the Administrators tab -> Permissions tab.
2. For an admin group: Select an admin group in the Groups table.
   or
   For an admin role: Select an admin role in the Roles table.
3. In the Permissions table, select the resource that you want to modify, and then click the Delete icon.
4. In the Delete Permission Confirmation dialog box, click Yes.