Document toolboxDocument toolbox

About Admin Groups

Owned by Panna .
Last updated: Jul 22, 2022 by Shwetha S
12 min read

All administrators must belong to an admin group. The permissions and properties that you set for a group apply to all administrators assigned to that group. You can assign a dashboard template to an admin group. A dashboard template specifies the tasks an admin group can access through the Tasks Dashboard tab when they log in to Grid Manager. For information about dashboard templates, see Configuring Dashboard Templates. You can also restrict certain user groups to manage specific tasks in the Tasks Dashboard tab only. These users cannot manage other core network services through Grid Manager. For information about how to apply this restriction, see Limited-Access Admin Groups below.

To define admins who can perform specific core network service tasks, you can set up admin groups and assign them permissions for those tasks. To control when and whether certain tasks should be performed, you can add an admin group to an approval workflow and define the admins as submitters or approvers. A submitter is an admin whose tasks require approvals before execution, and an approver is an admin who can approve the submitted tasks. When you add submitter and approver groups to an approval workflow, you have control over who can perform which mission critical tasks and whether and when the tasks should be executed. For more information about how to create and configure approval workflows, see Configuring Approval Workflows.

There are three types of admin groups:

  • Superuser – Superuser admin groups provide their members with unlimited access and control of all the operations that a NIOS appliance performs. There is a default superuser admin group, called admin-group, with one superuser administrator, admin. You can add users to this default admin group and create additional admin groups with superuser privileges. Superusers can access the appliance through its console, GUI, and API. In addition, only superusers can create admin groups.

  • Limited-Access – Limited-access admin groups provide their members with read-only or read/write access to specific resources. These admin groups can access the appliance through the GUI, API, or CLI. They cannot access the appliance through the console.

  • Default – When upgrading from previous NIOS releases, the appliance converts the ALL USERS group to the Default Group when the ALL USERS Group contains admin accounts. The appliance does not create the Default Group if there is no permission in the ALL USERS group. The permissions associated with the ALL USERS group are moved to a newly created role called Default Role. Supported in previous NIOS releases, the ALL USERS group was a default group in which you defined global permissions for all limited-access users. This group implicitly included all limited-access users configured on the appliance.

All limited-access admin groups require either read-only or read/write permission to access certain resources, such as Grid members, and DNS and DHCP resources, to perform certain tasks. Therefore, when you create an admin group, you must specify which resources the group is authorized to access and their level of access.

Only superusers can create admin groups and define their administrative permissions. There are two ways to define the permissions of an admin group. You can create an admin group and assign permissions directly to the group, or you can create roles that contain permissions and assign the roles to an admin group.

You must create admin groups and assign them access to the cloud API and applicable permissions so they have authority over delegated objects. When you assign permissions for objects that have not been delegated, these admin groups or admin users assume applicable permissions to these un-delegated objects. For example, you can create an admin group that can access a specific set of networks while another can access another set of networks. Note that you cannot create a new admin group using the same name. For information about Cloud Network Automation, see Deploying Cloud Network Automation.

Complete the following tasks to assign permissions directly to an admin group:

  1. Create an admin group, as described in Creating Limited-Access Admin Groups below.

  2. Assign permissions to the admin group, as described in About Administrative Permissions. Complete these tasks to assign admin roles to an admin group:

  3. Create an admin role, as described in About Admin Roles.

  4. Define permissions for the newly created admin role, as described in Creating Admin Roles, see About Admin Roles.

  5. Create an admin group and assign the role to the group, as described in Creating Limited-Access Admin Groups below.

After you have created admin groups and defined their administrative permissions, you can assign administrators to the group.

Creating Superuser Admin Groups

Superusers have unlimited access to the NIOS appliance. They can perform all operations that the appliance supports. There are some operations, such as creating admin groups and roles, that only superusers can perform.

Note that there must always be one superuser admin account, called "admin", stored in the local database to ensure that at least one administrator can log in to the appliance in case the NIOS appliance loses connectivity to the remote admin databases such as RADIUS servers, AD domain controllers, TACACS+ servers, LDAP servers, or OCSP responders.

NIOS comes with a default superuser admin group (admin-group). It also automatically creates a new admin group, fireeye-group, when you add the first FireEye RPZ (Response Policy Zone). Infoblox recommends that you do not add another admin group with the same name as the default or FireEye admin group. Note that the FireEye admin group is read-only and you cannot assign permissions to it. For more information about FireEye RPZs, see About FireEye Integrated RPZs.

When you install valid licenses and configure your Grid for Cloud Network Automation, NIOS enables the cloud-api-only admin group. You can assign admin users to this group so they are authorized to send cloud API requests to the Cloud Platform Appliances. Note that you cannot delete this admin group or create a new admin group using the same name. For information about Cloud Network Automation, see Deploying Cloud Network Automation.

You can create additional superuser admin groups, as follows:

  1. From the Administration tab, select the Administrators tab -> Groups tab, and then click the Add icon.

  2. In the Add Admin Group wizard, complete the following:

    • Name: Enter a name for the admin group.

    • Comment: Enter useful information about the group, such as location or department. For fireeye-group, NIOS displays Group used to receive FireEye alerts in this field.

    • Disable: Select this to retain an inactivated profile for this admin group in the configuration. For example, you may want to define a profile for recently hired administrators who have not yet started work. Then when they do start, you simply need to clear this checkbox to activate the profile.

  3. Click Next and complete the following:
    Superusers: Select this to grant the admin accounts that you assign to this group full authority to view and configure all types of data and perform all tasks.

  • Allowed Interfaces: Superusers admin groups are automatically granted access to the Infoblox GUI (Grid Manager), API, and CLI. You can specify which API the superusers group can access. Note that you must have the Cloud Network Automation or Cloud Platform license installed to configure access to the cloud API.
    GUI: This is selected by default. The superusers admin group automatically has full access to Grid Manager.
    API: This is selected by default. Note that the following options are displayed only if a cloud license is installed in the Grid.
    CLI: This is selected by default. The superusers admin group automatically has full access to the NIOS CLI.

  • API (WAPI/PAPI only): The superusers admin group has full access to the RESTful API and the Infoblox API by default.

  • Cloud API: Select this to allow the superusers admin group to use the cloud API. This option is available only if a cloud license is installed in the Grid. Select one of the following:

    • Cloud API only (no PAPI): Select this to allow the admin group to use WAPI (RESTful API) to send cloud API requests. Note that the Cloud API uses WAPI exclusively. The group has no access to the Infoblox API.

    • Cloud API and PAPI (No WAPI): Select this to allow the admin group to send API requests and have access to the Infoblox API. However, the group cannot use WAPI to send cloud API calls.

Note

When you assign cloud API access to an admin group, the group assumes full authority over all delegated objects. You must however specifically assign object permissions to the admin group for the group to gain authority over non-delegated objects. For information about how to assign object permissions, see About Administrative Permissions.

4. Click Next and complete the following to define the dashboard template:

  • Dashboard Template: From the drop-down list, select the dashboard template you want to assign to this superuser group. When you apply a dashboard template to an admin group, the template applies to all users in the group. The default is None, which means that users in this group can access all licensed tasks in the Tasks Dashboard tab if they have the correct permissions to the task-related objects. Note that if you want to delete a template, you must first unassign the template from an admin group, or select None, before you can delete it. For more information about dashboard templates, see About Dashboards.

 5. Click Next to add admin email addresses if you want the appliance to send approval workflow notifications to a list of email addresses for the admin group. Complete the following in the Email Address table:

Click the Add icon and Grid Manager adds a row to the table. Enter the email address of the admin who should receive workflow notifications. You can click the Add icon again to add more email addresses. You can also select an email address and click the Delete icon to delete it. To modify an email address, click the Email Address column and modify the existing address.

Note

When you configure an approval workflow and select Group Email Address(es) as the approver notification addresses, the appliance sends workflow notifications to all email addresses you have added to this table. For information, see Configuring Approval Workflows .

6. Optionally, click Next to add extensible attributes to the admin group. For information, see About Extensible Attributes.

7. Save the configuration and click Restart if it appears at the top of the screen. You can do one of the following after you create a superuser admin group:

Creating Limited-Access Admin Groups

When you create a limited-access admin group, you can assign roles to it. The group then inherits the permissions of its assigned roles. In addition, you can assign permissions directly to the group. Only superusers can create admin groups.

To create a limited-access admin group:

  1. From the Administration tab, select the Administrators tab -> Groups tab, and then click the Add icon.

  2. In the Add Admin Group wizard, complete the following:

    • Name: Enter a name for the admin group.

    • Comment: Enter useful information about the group, such as location or department.

    • Disable: Select this to retain an inactivated profile for this admin group in the configuration. For example, you may want to define a profile for recently hired administrators who have not yet started work. Then when they do start, you simply need to clear this checkbox to activate the profile.

  3. Click Next and complete the following:

    • Superusers: Clear this checkbox to create a limited-access admin group.

    • Roles: Optionally, click the Add icon to add an admin role to the admin group. In the Role Selector dialog box, select the roles you want to assign to the admin group, and then click the Select icon. Use Shift+click and Ctrl+click to select multiple admin roles. You can assign up to 21 roles to an admin group. The appliance displays the selected roles in the list box. When an admin group is assigned multiple roles, the appliance applies the permissions to the group in the order the roles are listed. Therefore if there are overlapped permissions among the roles, the appliance uses the permission from the role that is listed first and ignores the others. You can reorder the list by selecting a role and clicking the arrow keys to move the role up and down the list. To delete a role, select it and click the Delete icon.

    • Allowed Interfaces: Specify whether the admin group can use the Infoblox GUI (Grid Manager) and the API (application programming interface) to configure the appliance. Note that you must have the Cloud Network Automation or Cloud Platform license installed to configure access to the cloud API.

      GUI: Select this to allow the admin group to use the Infoblox GUI, Grid Manager.

      CLI: Select this to allow the admin group access to the Infoblox CLI. You can select all the commands that you want the group to execute by selecting the command group from the drop-down list. You can then select individual commands from the command group that the admin group can execute . For example, if you want to grant access to the admin group to run all commands related to the Grid command group, select Grid from the drop-down list and select all the commands. You can also select individual commands from the Grid command group that you want the admin group to execute.

      API: Select this to allow the admin group access to the Infoblox API. The following options are available only if a Cloud Network Automation or Cloud Platform license is active in the Grid. You must first select this option to enable the following options.

      • API (WAPI/PAPI only): Select this to allow the admin group to use only the RESTful API and Infoblox API.

      • Cloud API: Select this to allow the admin group to use the cloud API. This option is available only if a Cloud Network Automation or Cloud Platform license is installed in the Grid. Select one of the following:

        • Cloud API only (No PAPI): Select this to allow the admin group to use WAPI (RESTful API) to send cloud API requests. Note that the Cloud API uses WAPI exclusively. The group has no access to the Infoblox API.

        • Cloud API and PAPI (No WAPI): Select this to allow the admin group to send API requests and have access to the Infoblox API. However, the group cannot use RESTful API to send cloud API calls.                 

Notes

  • When you assign cloud API access to an admin group, the group assumes full authority over all delegated objects. You must however specifically assign object permissions to the admin group for the group to gain authority over non-delegated objects. For information about how to assign object permissions, see About Administrative Permissions.

  • The GUI permission that you assign to the admin group is independent of the CLI permission that you assign. That is, you have to assign each of these permissions separately to non-super users. You can track actions and commands of non-super-users in the audit.log file.

  • If you enable CLI commands for reporting users, they will not be able to login to the CLI unless they log in to the Reporting tab in Grid Manager.

  • SAML-only users will not be able to run CLI commands, because such users are created dynamically and hence do have the password. However, users belonging to the saml_local group can run the set series of commands.

  • Cloud users will not be able to run CLI commands because they are delegated users.

   4. Click Next and complete the following to define the dashboard template:

  • DashboardTemplate: From the drop-down list, select the dashboard template you want to assign to this superuser group. When you assign a dashboard template to an admin group, the template applies to all users in the group. The default is None, which means that users in this group can perform all licensed tasks in the TasksDashboard tab if they have the correct permissions to the task-related objects. Note that if you want to delete a template, you must first unassign the template from an admin group, or select None, before you can delete it. For more information about dashboard templates, see About Dashboards.

  • Display Task flow Dashboards Only: Select this checkbox if you want to restrict this admin group to access only the Tasks Dashboard in Grid Manager. Note that when you select this checkbox, users in this admin group have access to the tasks you specified in the selected dashboard template, if applicable. They cannot perform any other tasks or manage any core network services in Grid Manager the next time they log in to the system.

   5. Click Next to add admin email addresses if you want the appliance to send approval workflow notifications to a list of email addresses for the admin group. Complete the following in the Email Address table:

Click the Add icon and Grid Manager adds a row to the table. Enter the email address of the admin who should receive workflow notifications. You can click the Add icon again to add more email addresses. You can also select an email address and click the Delete icon to delete it. To modify an email address, click the Email Address column and modify the existing address.

   6. Optionally, click Next to add or delete extensible attributes for this admin group. For information, see About Extensible Attributes.

   7. Save the configuration and click Restart if it appears at the top of the screen.