You can assign permissions to admin roles which you then assign to admin groups, or you can assign permissions directly to an admin group. The following are permissions you can grant admin groups and roles:

Read/Write (RW): Allows admins to add, modify, delete, view, and search for a resource.
Read-Only (RO): Allows admins to view and search for a resource. Admins cannot add, modify, or delete the resource.
Deny: Prevents admins from adding, modifying, deleting, and viewing a resource. This is the default permission level for all resources.

By default, the superuser group (admin-group) has full access to all resources on the appliance. Superusers can create limited-access admin groups and grant them permissions to resources at the global and object levels.
Limited-access admin groups must have either read-only or read/write permissions assigned in order to view information or perform tasks on any supported objects.
When you assign permissions at the global level, the permissions apply to all objects that belong to the specified resource. For example, when you define a read/write permission to all DHCP networks, the permission applies to all DHCP ranges and fixed addresses in the networks. For information about global permissions, see Defining Global Permissions below.
You can also define permissions at a more granular level, such as for a specific Grid member, DNS zone, Response Policy Zone, network, and even an individual database object, such as a resource record or fixed address. When you define a permission at the object level, admins with this permission can only manage the specified object and its associated objects. For information about object permissions, see Defining Object Permissions below.
You can use global and object permissions to restrict admins to specific DNS and DHCP resources on specific Grid members by assigning the appropriate permissions. You can use this feature to separate DNS and DHCP administration on selected Grid members. For more information, see Defining DNS and DHCP Permissions on Grid Members below.
You can configure global permissions, object permissions, and member DNS and DHCP permissions for default and custom admin groups and roles. You cannot however define permissions for the factory default roles, such as DHCP Admin.
The appliance supports the following permissions:

Permissions	Description
Grid permissions	Includes Grid DNS properties, Grid DHCP properties, all Grid members, Microsoft servers that are managed by the Grid, network discovery, task scheduling, CSV imports, and all dashboard tasks.
IPAM permissions	Includes network views, IPv4 and IPv6 networks, and host records.
DHCP permissions	Includes Grid DHCP properties, network views, IPv4 networks, host records, DHCP ranges, DHCP fixed addresses/reservations, DHCP enabled host addresses, Mac filters, shared networks, DHCP templates, lease history, and roaming hosts.
DNS permissions	Includes Grid DNS properties, DNS views, DNS zones, Response Policy Zones, host records, bulk hosts, all DNS resource records, all shared records, and adding a blank A/AAAA record.
File distribution permissions	Includes Grid-level file distribution properties.
Reporting permissions	Includes Grid-level reporting properties.
Administration permissions	Includes all certificate authentication services, CA certificates and object change tracking.
GLB (Global Load Balancer) permissions	Includes all NIOS managed GLB objects.
DHCP fingerprint permissions	Includes all DHCP fingerprint related objects.
Named ACL permissions	Includes all named ACLs (access control lists).
Cloud permissions	Includes all tenant objects.
Super Host Permissions	Includes all super host objects.

NIOS applies permissions hierarchically in a parent-child structure. When you define permissions for a resource, all objects within that resource inherit the same permissions. For example, when you grant an admin group read/write permission for a network, the admin group automatically has read/write permission for objects in that network. To override permissions set at a higher level, you define permissions at a more specific level. For example, you can override the read/write network-level permission by setting read-only or deny permission for a fixed address or a DHCP-enabled host address. To define permissions for a more specific level, see the following:

Permissions for common tasks, as described in Administrative Permissions for Common Tasks.
Permissions for the Grid and Grid members, as described in Administrative Permission for the Grid.
Permissions for IPAM resources, such as IPv6 networks, as described in Administrative Permissions for IPAM Resources.
Permissions for DNS resources, such as DNS views and A records, as described in Administrative Permissions for DNS Resources.
Permissions for DNS resource with associated IP addresses in networks and ranges, as described in Administrative Permissions for DNS Resources with Associated IP addresses in Networks and Ranges.
Permissions for DHCP resources, such as network views and fixed addresses, as described in Administrative Permissions for DHCP Resources.
Permissions for file distribution services, as described in Administrative Permissions for File Distribution Services.
Permissions for certificate authentication services and CA certificates, as described in Administrative Permissions for Certificate Authentication Services and CA Certificates.
Permissions for object change tracking, as described in Administrative Permissions for Object Change Tracking
Permissions for GLB and GLB objects, as described in Administrative Permissions for Load Balancers.
Permissions for Cloud objects, as described in Administrative Permissions for Cloud Objects.

When you set permissions that overlap with existing permissions, Grid Manager displays a warning about the overlaps. You can view detailed information and find out which permissions the appliance uses and which ones it ignores. For information, see Applying Permissions and Managing Overlaps below.

Defining Global Permissions

You can define permissions at a global level for an admin group or admin role. To define global permissions:

For an admin group: From the Administration tab, select the Administrators tab -> Permissions tab -> admin_group in the Groups table, and then click the Add icon -> Global Permissions from the Create New Permission area or select Add -> Global Permissions from the Toolbar.
or
For an admin role: From the Administration tab, select the Administrators tab -> Permissions tab -> admin_role in the Roles table, and then click Add icon -> Global Permissions from the Create New Permission area or select Add -> Global Permissions from the Toolbar.
Grid Manager displays the Manage Global Permissions editor. For an admin group, the appliance displays the selected admin group in the Group Permission field. For an admin role, the appliance displays the selected admin role in the Role Permission field. You can also select a different group or role from the drop-down list.
Select the resources that you want to configure from the Permission Type drop-down list. Depending on your selection, Grid Manager displays the corresponding resources for the selected permission type in the table.
Select Read/Write, Read-Only, or Deny for the resources you want to configure. By default, the appliance denies access to resources if you do not specifically configure them.
Optionally, select additional resources from the Permission Type drop-down list. Grid Manager appends the new resources to the ones that you have already configured. Define the permissions for the resources you select.
Save the configuration and click Restart if it appears at the top of the screen.

The below Global Permissions table lists global permissions you can assign to admin groups or admin roles:

Global Permissions

Permissions (Read/Write, Read-Only, or Deny)
Administration Permissions	All Certificate Authentication Services	For more information, see Administrative Permissions for Certificate Authentication Services and CA Certificates.
	All CA Certificates
	Object Change Tracking	For more information, see Administrative Permissions for Object Change Tracking.
Cloud Permissions	All Tenants	For more information, see Administrative Permissions for Cloud Objects.
Named ACL Permissions	Named ACL	For more information, see Administrative Permissions for Named ACLs.
DHCP Permissions	Grid DHCP Properties	For more information, see Administrative Permissions for Common Tasks.
	All Network Views	For more information, see Administrative Permissions for DHCP Resources.
	All IPV4/IPv6 Networks	For more information, see Administrative Permissions for IPv4 and IPv6 Networks and Shared Networks.
	All Hosts	For more information, see Administrative Permissions for IPAM Resources.
	All DHCP Fingerprints	For more information, see Administrative Permissions.
	All DHCP MAC Filters	For more information , see Administrative Permissions for DHCP Resources.
	All IPv4/IPv6 DHCP Fixed Addresses/Reservations	For more information, see Administrative Permissions for IPv4 or IPv6 Fixed Addresses and IPv4 Reservations.
	All IPv4/IPv6 Host Addresses	For more information, see Administrative Permissions for DHCP Resources.
	All IPv4/IPv6 Ranges	For more information, see Administrative Permissions for IPv4 and IPv6 DHCP Ranges.
	All IPv4/IPv6 Shared Networks	For more information, see Administrative Permissions for IPv4 and IPv6 Networks and Shared Networks.
	All IPv4/IPv6 DHCP Templates	For more information, see Administrative Permissions for IPv4 or IPv6 DHCP Templates.
	All Microsoft Superscopes	For more information, see Administrative Permissions for IPv4 or IPv6 DHCP Templates.
	All Roaming Hosts	For more information, see Administrative Permissions for Roaming Hosts.
	DHCP IPv4/IPv6 Lease History	For more information, see Administrative Permissions for the IPv4 and IPv6 DHCP Lease Histories.
DNS Permissions Grid	DNS Properties	For more information, see Administrative Permissions for Common Tasks.
	All DNS Views	For more information, see Administrative Permissions for Common Tasks.
	All DNS Zones	For more information, see Administrative Permissions for Common Tasks.
	All Hosts	For more information, see Administrative Permissions for Hosts.
	All IPV4/IPV6 Host Addresses	For more information, see Administrative Permissions for DNS Resources with Associated IP addresses in Networks and Ranges.
	All Resource Records (A, AAAA, CAA, CNAME, DNAME, NAPTR, MX, PTR, SRV, TXT, TLSA and Bulkhost)	For more information, see Administrative Permissions for Common Tasks.
	All Shared Record Groups	For more information, see Administrative Permissions for Shared Record Groups.
	All Shared Records (A, AAAA, MX, SRV and TXT)	For more information, see Administrative Permissions for Common Tasks.
	All Rulesets (BLACK List Rulesets and NXDOMAIN Rulesets)	For more information, see Administrative Permissions for DHCP Resources.
	All DNS64 Synthesis Groups	For more information, see Administrative Permissions for DNS64 Synthesis Groups.
	All Response Policy Zones	For more information, see Administrative Permissions for Zones and License Requirements and Admin Permissions.
	All Response Policy Rules	For more information, see Administrative Permissions for Zones and License Requirements and Admin Permissions.
	All DTC Objects (LBDN Records, LBDNs, Pools, Servers, Monitors, Certificates, GeoIP and Topologies)	For more information, see Administrative Permissions for Zones and License Requirements and Admin Permissions.
	Adding a blank A/AAAA record	For more information, see Administrative Permissions for Common Tasks.
File Distribution Permissions	Grid File Distribution Permissions	For more information, see Administrative Permissions for File Distribution Services.
Grid Permissions	All Members	For more information, see Administrative Permissions for Common Tasks.
	Network Discovery	For more information, see Administrative Permissions for Discovery.
	Schedule Tasks	For more information, see Administrative Permissions for Scheduling Tasks.
	CSV Import	For more information, see Administrative Permissions for Named ACLs.
	All Microsoft Servers	For more information, see Administrative Permissions for Microsoft Servers.
	All Dashboard Tasks	For more information, see Administrative Permissions for Dashboard Tasks.
	All Kerberos keys	For more information, see Configuring GSS-TSIG keys.
	All Active Directory Domains	For more information, see Managing Active Directory Sites.
IPAM Permissions	All Network Views	For more information, see Administrative Permissions for Common Tasks.
	All IPv4 Networks	For more information, see Administrative Permissions for IPv4 and IPv6 Networks and Shared Networks.
	All IPv6 Networks	For more information, see Administrative Permissions for IPv4 and IPv6 Networks and Shared Networks.
	All Hosts	For more information, see Administrative Permissions for Hosts.
	All IPv4 Host Addresses	For more information, see Administrative Permissions for DNS Resources with Associated IP addresses in Networks and Ranges.
	All IPv6 Host Addresses	For more information, see Administrative Permissions for DNS Resources with Associated IP addresses in Networks and Ranges.
	Port Control	For more information, see Administrative Permissions for Discovery.
SAML Permissions	SAML Authentication Services	For more information, see Administrative Permissions for SAML.
Super Host Permissions	Super Host Permissions	For more information, see About Administrative Permissions for Super Hosts.
Security Permissions	Grid Security Permissions	For more information, see Administrative Permissions.
Reporting Permissions	Grid Reporting Permissions	For more information, see Administrative Permissions for Common Tasks.
	Reporting Dashboard	For more information, see Administrative Permissions for Reporting.
	Reporting Search	For more information, see Administrative Permissions for Reporting.
VLAN Permissions	VLAN views, VLAN ranges, and VLAN objects	For more information, see Administrative Permissions for VLAN Management.

Defining Object Permissions

You can add permissions to specific objects for selected admin groups or roles. When you add permissions to objects, you can select multiple objects with the same or different object types. When you select multiple objects with the same object type, you can apply permissions to the selected objects as well as the sub object types that are contained in the selected objects. As described in the below figure Selecting Multiple Objects with the Same Object Type, when you select five DNS forward-mapping authoritative zones, the appliance displays the object type "AuthZone" for all the zones. Since all five DNS zones are of the same object type, you can also apply permissions to all the resource records in these zones. The appliance displays the resources in the resource section of the Create Object Permissions editor. You can choose one or more of the resources to which you want to apply permissions.
In Cloud Network Automation, admin groups and admin users who have cloud API access have full permissions to delegated. However, you must specifically assign permissions for objects that have not been delegated in order for any admin groups or admin users to gain permission to these objects. Therefore, an admin group that has access to the cloud API would have full permissions to all delegated objects but limited permissions to non-delegated objects.
For information about how to allow cloud API access to an admin group, see Creating Limited-Access Admin Groups. For information about guidelines for authority delegation, see About Authority Delegation.
Selecting Multiple Objects with the Same Object Type

When you select multiple objects with more than one object type, you can add permissions to the selected objects as well as to the sub object types that are common among the selected objects. For example, when you select three DNS forward-mapping authoritative zones and two DNS IPv4 reverse-mapping authoritative zones as illustrated in the below figure Multiple Objects with Common Sub Object Types, you can apply permissions to all the five DNS zones as well as to the CNAME, DNAME, and host records in these zones because CNAME, DNAME, and host records are the common sub object types in these zones.

Multiple Objects with Common Sub Object Types
When you select three DNS forward-mapping authoritative zones and two IPv4 reverse-mapping authoritative zones, you can apply object permissions to all the DNS zones as well as the CNAME, DNAME and Host records in these DNS zones.

To define object permissions for an admin group or role:

For an admin group: From the Administration tab, select the Administrators tab -> Permissions tab -> admin_group in the Groups table, and then click the Add icon -> Object Permissions from the Create New Permission area or select Add -> Object Permissions from the Toolbar.
or
For an admin role: From the Administration tab, select the Administrators tab -> Permissions tab -> admin_role in the Roles table, and then click Add icon -> Object Permissions from the Create New Permission area or select Add -> Object Permissions from the Toolbar.
Grid Manager displays the Create Object Permissions wizard. For an admin group, the appliance displays the selected group in the Group Permission field. For an admin role, the appliance displays the selected admin role in the Role Permission field. You can also select a different group or role from the drop-down list.
Click Select Object(s). Grid Manager displays the Object Selector dialog box.
In the Object Selector dialog box, complete the following:
- Enter a value or partial value of an object in the first field. This field is not case-sensitive. For example, if the object to which you want to define permissions contains "Infoblox", enter Infoblox here.
- Select the object type for which you are searching in the Type drop-down list. By default, the appliance searches all object types.
- In the operator drop-down list, select an operator for the filter criteria. Depending on what you select in the first filter field, this list displays the relevant operators for the selection.
- In the value field, enter or select the attribute value for the first filter field. Depending on what you select for the first two filter fields, you can either enter a value or select a value from a drop-down list.
Click Search. The appliance lists all matching objects in the table. You can select multiple object types by clicking the Add icon to add more filter criteria. You can also click Reset to clear all entries.
Select the checkboxes of the objects to which you are defining permissions, and then click the Select icon.
In the Create Object Permissions wizard, do the following:
- Object: Displays the name of the selected object. When you select multiple objects, the appliance displays Multiple here. Mouse over to the information icon to view the list of objects to which you are defining permissions.
- Object Type: Displays the object type of the selected object. When you select more than one object type, the appliance displays Multiple here.
- Resource: Displays the selected objects. When you select more than one object type, the appliance displays Multiple Selected Objects here. Mouse over to the information icon to view the list of objects to which you are defining permissions. Grant the resources an appropriate permission: Read/Write, Read-Only, or Deny.
Save the configuration and click Restart if it appears at the top of the screen.

Grid Manager displays a warning message when the permissions you define here overlap with other permissions in the system. Click See Conflicts to view the overlapping permissions in the Permissions Conflict dialog box. For information, see Applying Permissions and Managing Overlaps below.
You can also set permissions for specific objects from the objects themselves. For example, to define permissions for a particular Grid member, navigate to that Grid member and define its permissions.
To define the permissions of a specific object:

Navigate to the object. For example, to define permissions for a particular network, from the Data Management tab, select the IPAM tab -> network checkbox, and then click the Edit icon.
In the editor, select the Permissions tab, and then do one of the following:
- Click the Add icon to add permission to the object. In the Admin Group / Role Selector dialog box, select an admin group or role to which you want to assign the permission, and then click the Select icon.
- Modify the permission and resource type of a selected admin group or role.
- Select an admin group or role and click the Delete icon to delete it.
Save the configuration and click Restart if it appears at the top of the screen.

Defining DNS and DHCP Permissions on Grid Members

You can restrict certain admin groups or roles to perform specific DNS and DHCP tasks on specific Grid members by assigning the correct global and object permissions. You can use this feature to separate the DNS and DHCP administration on different Grid members. For example, you can create an admin group or role that can only create, modify, and delete DHCP ranges in a specific network on a specific member in the Grid. This admin group or role is restricted to the specified tasks on the selected Grid member. It cannot perform other DNS or DHCP tasks on this member, and it cannot perform the specified tasks on other Grid members.
For example, you can define permissions that allow admins to create, modify, and delete DHCP ranges in network 10.0.0.0/8 on Grid member "sales.infoblox.com" by granting read/write object permissions to all DHCP ranges, network 10.0.0./8, and member DHCP on sales.infoblox.com. Admins with these permissions can only add, modify, and delete DHCP ranges in network 10.0.0.0/8 on Grid member sales.infoblox.com. They cannot perform other DHCP or DNS tasks on the member, and they cannot perform these tasks on other Grid members.
For information about required permissions for specific DNS and DHCP tasks, see Administrative Permissions for Common Tasks.
You can define the following DNS and DHCP permissions for an admin group or role:

Grid DNS or Grid DHCP: Admins with read/write permissions can manage any DNS or DHCP resources on any Grid members. They can also modify Grid DNS or Grid DHCP properties and any member DNS and member DHCP properties. Admins with read-only permissions can only view DNS or DHCP resources. They cannot modify any DNS or DHCP resources or restart related services.
Member DNS or Member DHCP: Admins with read/write permissions can perform the defined DNS or DHCP tasks only on the specified Grid member, not any other members. They can also modify DNS or DHCP properties on the specified member. Admins with read-only permission cannot assign the Grid member to any DNS or DHCP resources.
Restart DNS or Restart DHCP on member: Admins with read/write permissions can restart the DNS or DHCP service on the specified Grid member, not any other members. However, they cannot modify DNS or DHCP properties on the member. They can assign the specified Grid member to any DNS or DHCP resources, but they cannot assign any other Grid members to DNS or DHCP resources.

To specify member DNS and DHCP permissions, define DNS or DHCP permissions at the global or object level for an admin group or admin role, as described in Defining Global Permissions and Defining Object Permissions above. Ensure that you include the Grid member object to which you want to restrict DNS or DHCP administration. You can assign valid permissions to administrators to manage kerberos keys. For more information, see Configuring GSS-TSIG keys.
You can also control whether the admins can modify DNS or DHCP properties on a member, as described in Modifying Permissions on a Grid Member below.

Modifying Permissions on a Grid Member

Admins can perform different tasks on a Grid member based on the permissions they have. The following table Member Permissions and Tasks outlines the permissions and the tasks admins can perform on a Grid member:
Member Permissions and Tasks

	Grid Member	Member DNS or DHCP Properties	Restart DNS or DHCP on Grid Member
Read/Write	Modify member properties Restart, reboot, and shutdown member Modify member DNS and DHCP properties Restart member DNS and DHCP services Assign and un-assign member to DNS and DHCP objects	Modify member DNS or DHCP properties Restart member DNS or DHCP service Assign and un-assign member to DNS or DHCP objects	Restart member DNS or DHCP service Assign and un-assign member to DNS or DHCP objects
Read-only	View member DNS and DHCP properties	View member DNS or DHCP properties	N/A (You cannot define a read-only permission)
Deny	Cannot modify member, DNS, and DHCP properties Cannot restart related services Cannot assign member to DNS and DHCP objects	Cannot modify member, DNS, and DHCP properties Cannot restart related services Cannot assign member to DNS and DHCP objects	Cannot modify member, DNS, and DHCP properties Cannot restart related services Cannot assign member to DNS and DHCP objects

After you add permissions to an admin group or role for a specific Grid member, you can modify the member permissions and resources. Note that when you modify the member permissions and resources, the appliance updates the permissions of the admin group or role accordingly.
To modify Grid member permissions:

From the Data Management tab, select the DHCP or DNS tab -> Members tab -> Grid_member, and then click the Edit icon.
In the Member DHCP Properties or Member DNS Properties editor, select the Permissions tab.
Click a permission in the Permissions table, select a different permission from the Permissions drop-down list or select a different resource from the Resources drop-down list. Note that when you select Restart DNS or Restart DHCP, the admins with this permission can only restart the DNS or DHCP service on the selected member. They cannot modify DNS or DHCP properties of this member.
Save the configuration. Note that the appliance automatically updates the permissions of the corresponding admin group or role in the Administration tab.

Applying Permissions and Managing Overlaps

When an admin tries to access an object, the appliance checks the permissions of the group to which the admin belongs. Because permissions at more specific levels override those set at a higher level, the appliance checks object permissions hierarchically—from the most to the least specific. In addition, if the admin group has permissions assigned directly to it and permissions inherited from its assigned roles, the appliance checks the permissions in the following order:

Permissions assigned directly to the admin group.
Permissions inherited from admin roles in the order they are listed in the Roles tab of the Admin Group editor.

For example, an admin from the DNS1 admin group tries to access the a1.test.com A record in the test.com zone in the Infoblox default view. The appliance first checks if the DNS1 admin group has a permission defined for the a1.test.com A record. If there is none, then the appliance checks the roles assigned to DNS1. If there is no permission defined for the a1.test.com A record, the appliance continues checking for permissions in the order listed in the Permission Checking table. The appliance uses the first permission it finds.
Permission Checking

The appliance checks object permissions from the most to the least specific, as listed.

For each object, the appliance checks permissions in the order listed.

a1.test.com A record
A records in test.com
test.com
All zones in the default view
Default view
All A records
All zones
All DNS views

a. DNS1 admin group

b. Role 1, Role 2, Role 3…

An admin group that is assigned multiple roles and permissions can have overlaps among the different permissions. As stated earlier, the appliance uses the first permission it finds and ignores the others. For example, as shown in the below Directly-Assigned Permissions and Roles table, if an admin group has read/write permission to all A records in the test.com zone and a role assigned to it is denied permission to test.com, the appliance provides read/write access to A records in the test.com zone, but denies access to the test.com zone and all its other resource records.
Directly-Assigned Permissions and Roles

Permission assigned to the admin group

Read/Write to all A records in the test.com zone

Permission inherited from an admin role

Deny to the test.com zone

Effective permissions

Deny to the test.com zone

Read/Write to all A records in test.com zone

Deny to all other resource records in test.com zone

If the group has multiple roles, the appliance applies the permissions in the order the roles are listed. If there are overlaps in the permissions among the roles, the appliance uses the permission from the role that is listed first. For example, as shown in the Multiple Roles table, the first role assigned to the admin group has read-only permission to all A records in the test.com zone and the second role has read/write permission to the same records. The appliance applies the permission from the first admin role.
Multiple Roles

Role 1 permission

Read-only to all A records in the test.com zone

Role 2 permission

Read/Write to all A records in test.com zone

Read/Write to all MX records in test.com zone

Effective permissions

Deny to the test.com zone
Read-only to all A records in the test.com zone Read/Write to all MX records in test.com zone

You can check for overlapped permissions when you add permissions to roles and to admin groups, and when you assign roles to an admin group. When you create a permission that overlaps with existing permissions, Grid Manager displays a warning message and the SeeConflicts link on which you click to view the overlapped permissions. For information, see Viewing Overlapping Permissions below. You can also use the quick filter Overlaps to filter overlapped permissions, the appliance lists permissions that overlap with other permissions. If you want to change the permission the appliance uses, you must change the order in which the roles are listed or change the permissions that are directly assigned to the admin group. For information about Creating Limited-Access Admin Groups, see About Admin Groups.

Viewing Overlapping Permissions

When you click See Conflicts to view overlapping permissions, Grid Manager displays the following information in the Permission Overlap dialog box:

Resource: The name of the object or resource.
Type: The object type.
Permission: The permission granted. This can be Read/Write, Read-Only, or Deny.
Inherited From: Indicates the source from which the permission is inherited.
Conflict Status: Indicates whether the permission is being used or ignored. In a permission overlap, the group permission always overrides the role permission if both permissions are set at the same level (global or object). However, if the permissions are set at different levels, the permission at a more specific level overrides that set at a higher level.
Role/Group Name: The name of the admin group or admin role.

You can click the arrow key next to the resource to view the permission that is being ignored in the overlap.

Managing Permissions

After you define permissions for an admin group and role, you can do the following:

View the permissions, as described in Viewing Permissions below.
Modify the permissions, as described in Modifying Permissions below.
Delete the permission, as described in Deleting Permissions below.

Viewing Permissions

Only superusers can view the permissions of all admin groups.
To view the permissions of an admin group or role:

From the Administration tab, select the Administrators tab -> Permissions tab.
For an admin group: Select an admin group in the Groups table.
or
For an admin role: Select an admin role in the Roles table.
Grid Manager displays the following information in the Permissions table:

Group/Role: The name of the admin group or role.
Permission Type: The type of permissions. This can be Administration Permissions, Analytics Permissions, Cloud Permissions, Named ACL Permissions, DHCP Permissions, DNS Permissions, File Distribution Permissions, Grid Permissions, IPAM Permissions, Reporting Permissions, or Security Permissions.
Resource: The name of the object. For example, this field displays All Hosts if you have defined permissions for all the hosts in the Grid.
Resource Type: The object type. For example, this can be Host, PTR record, or Shared Network.
Permission: The defined permission for the resource.

When you click Show All for Admins, Groups, and Roles, Grid Manager displays all the admin accounts, admin groups, and admin roles in their respective tables.

Filtering the List of Permissions

You can filter the permissions you want to view by selecting one of the following from the quick filter menu:

Effective Permissions: Select to view only the permissions that the appliance is using for this group. The permissions that were ignored due to overlaps are not listed in this view.
Overlaps: Select to view only the overlapped permissions.
All Configured Permissions: Select to view all permissions.

Modifying Permissions

You can modify the permissions of user-defined admin roles and admin groups. You cannot modify the permissions of system-defined admin roles. When you change the permissions of a role that has been assigned to multiple admin groups, the appliance automatically applies the change to the role in all admin groups to which it is assigned.
To modify the existing permissions of a role or an admin group:

From the Administration tab, select the Administrators tab -> Permissions tab.
For an admin group: Select an admin group in the Groups table. or
For an admin role: Select an admin role in the Roles table.
In the Permissions table, select the resource that you want to modify, and then click the Edit icon.
In the Mange Global Permissions or Create Object permissions editor, select the new permission: Read/Write, Read-Only or Deny for the resource.
Save the configuration and click Restart if it appears at the top of the screen.

Deleting Permissions

You can remove permissions from user-defined admin roles and admin groups. You cannot remove permissions from system-defined admin roles. When you remove permissions from a role, they are removed from the role in all admin groups to which the role is assigned. You can remove a permission from a group as long as it is not inherited from a role. You cannot remove permissions that are inherited from a role.
To delete a permission:

From the Administration tab, select the Administrators tab -> Permissions tab.
For an admin group: Select an admin group in the Groups table.
or
For an admin role: Select an admin role in the Roles table.
In the Permissions table, select the resource that you want to modify, and then click the Delete icon.
In the Delete Permission Confirmation dialog box, click Yes.

About Administrative Permissions