Page tree

Contents

Limited-access admin groups can access certain DHCP resources only if their administrative permissions are defined. By default, the appliance denies access when a limited-access admin group does not have defined permissions. You can grant admin groups read-only or read/write permission, or deny access to the following DHCP resources:

  • Network views
  • IPv4 networks
  • Hosts
  • IPv4 DHCP ranges
  • IPv4 DHCP fixed addresses
  • IPv4 DHCP reservations
  • MAC address filters
  • IPv4 shared networks
  • IPv4 network templates
  • IPv4 DHCP range templates
  • IPv4 fixed address templates
  • IPv4 DHCP enabled host addresses
  • IPv4 DHCP lease history
  • Roaming hosts
  • IPv6 networks
  • IPv6 DHCP ranges
  • IPv6 DHCP fixed addresses
  • IPv6 DHCP enabled host addresses
  • IPv6 shared networks
  • IPv6 network templates
  • IPv6 DHCP range templates
  • IPv6 fixed address templates
  • IPv6 DHCP lease history

You can grant an admin group broad permissions to DHCP resources, such as read/write permission to all IPv4 or IPv6 networks and shared networks in the database. In addition, you can grant permission to specific resources, such as a specific IPv4 or IPv6 network or DHCP range, or an individual address in an IPv4 or IPv6 network. Permissions at more specific levels override global permissions.
You can also define permissions for specific DHCP objects and Grid member to restrict admins to perform only the specified DHCP tasks on the specified member. For more information, see Defining DNS and DHCP Permissions on Grid Members.
The following sections describe the different types of permissions that you can set for DHCP resources:


Administrative Permissions for Network Views
Limited-access admin groups can access network views, including the default network view, only if they have read-only or read/write permission to a specific network view or to all network views. Permissions granted to a network view apply to all its IPv4 and IPv6 networks, shared networks, DHCP ranges and fixed addresses.
You can grant admin groups read-only or read/write permission, or deny access to network views as follows:

  • All network views—Global permission that applies to all network views in the database.
  • A specific network view—Permission to a specific network view applies to the properties you set in the Network View editor, and to all the IPv4 and IPv6 networks and shared networks in the network view. This overrides the global permission to all network views. When you configure permissions for a network view, you can also set permissions for the following:
    • All IPv4 and IPv6 networks in the selected network view—If you do not define permissions for IPv4 or IPv6 networks, they inherit the permissions of their network view.
    • All IPv4 and IPv6 shared networks in a specific network view—If you do not define permissions for IPv4 or IPv6 shared networks, they inherit the permissions of their network view.

Note that you can grant an admin group read-only or read/write permission to specific IPv4 or IPv6 networks in a network view, without granting them permission to that network view. For information, see Administrative Permissions for IPv4 and IPv6 Networks and Shared Networks.
For information on how to define permissions for network views, see Applying Permissions and Managing Overlaps.
The following table lists the tasks admins can perform and the required permissions for network views.

Table 4.18 Network View Permissions








Tasks

All DNS Views

Specific DNS View

All Network Views

Specific Network View

All IPv4 or IPv6 Networks

All IPv4 or IPv6 Shared Networks

Create and delete network views and their associated DNS views

RW


RW




Create and delete a network view and its associated DNS views


RW


RW



Create, modify, and delete IPv4 and IPv6 networks and shared networks in all network views



RW




Create, modify, and delete IPv4 and IPv6 networks and shared networks in a network view




RW



View the properties of all network views



RO




View network statistics of all network views



RO




View and search for all IPv4 and IPv6 networks and shared networks



RO




View the properties of a network view




RO



View and search for IPv4 and IPv6 networks and shared networks in a network view




RO



Expand and join IPv4 and IPv6 networks



RW




Expand and join IPv4 and IPv6 networks in a specific network view




RW



Create, modify, and delete IPv4 and IPv6 networks, DHCP ranges and fixed addresses in a specific network view




RW



View network statistics and properties of all networks in a network view




RO



Search for IPv4 and IPv6 networks in a network view




RO



Create, modify, and delete all IPv4 or IPv6 shared networks






RW

View the properties of all IPv4 or IPv6 shared networks






RO

View and search for IPv4 and IPv6 shared networks in a network view




RO



Restart services from the DHCP tab

RO



RW




Administrative Permissions for IPv4 and IPv6 Networks and Shared Network s
Limited-access admin groups can access IPv4 and IPv6 networks, including shared networks, only if their administrative permissions are defined. Permissions for a network apply to all its DHCP ranges and fixed addresses. To override network-level permissions, you must define permissions for specific DHCP ranges and fixed addresses. For example, you can grant an admin group read-only permission to a network, read/write permission to its DHCP ranges, and read-only permission to its fixed addresses.
You can grant read-only or read/write permission, or deny access to networks, as foll ows:

  • All IPv4 or IPv6 networks—Global permission that applies to all IPv4 or all IPv6 networks in the database.
  • All IPv4 or IPv6 shared networks—Global permission that applies to all IPv4 or all IPv6 shared networks in the database.
  • A specific IPv4 or IPv6 network—Network permissions apply to its properties and to all DHCP ranges, fixed addresses and hosts in the network, if they do not have permissions defined. This overrides global permissions.
  • All IPv4 or IPv6 DHCP ranges in a network—If you do not define permissions for DHCP ranges, they inherit the permissions of the network in which they reside.
  • All IPv4 or IPv6 fixed addresses in a network—If you do not define permissions for fixed addresses, they inherit the permissions of the network in which they reside.

To define permissions for a specific IPv4 or IPv6 network and its DHCP ranges and fixed addresses, see Applying Permissions and Managing Overlaps.
The following table lists the tasks admins can perform and the required permissions for IPv4 and IPv6 networks.

Table 4.19 Network Permissions








Tasks

Grid Member(s)


All IPv4 or IPv6 Networks

Specific IPv4 or IPv6 Network

All IPv4 or IPv6 Shared Networks

Specific DNS Zone

All IPv4 or IPv6 DHCP Ranges

All IPv4 or IPv6 Fixed Addresses

IPv4 or IPv6 Network Template

Create, modify, and delete IPv4 or IPv6 networks, DHCP ranges, and fixed addresses without assigned Grid members


RW







Create, modify, and delete IPv4 or IPv6 networks, DHCP ranges, and fixed addresses with assigned Grid members

RW

RW







Assign a Grid member to a specific IPv4 or IPv6 network and its DHCP ranges

RW


RW






Expand and join IPv4 or IPv6 networks


RW







Create IPv4 or IPv6 networks from templates


RW






RO

Create, modify, and delete an IPv4 or IPv6 network


RW







View IPv4 or IPv6 network properties and statistics, and search for DHCP ranges and fixed addresses in a specific network



RO






Create, modify, and delete IPv4 or IPv6 DHCP ranges and fixed addresses in a specific network



RW






Create and split an IPv4 or IPv6 network and automatically create a reverse DNS zone



RW


RW




Create, modify, and delete IPv4 or IPv6 shared networks




RW





View IPv4 or IPv6 shared networks




RO





Create, modify, and delete IPv4 or IPv6 DHCP ranges with an assigned member in a specific network

RW


RW






Create, modify, and delete IPv4 or IPv6 DHCP ranges






RW



View and search for IPv4 or IPv6 DHCP ranges in a specific network



RO






Create, modify, and delete IPv4 or IPv6 fixed addresses







RW


View and search for IPv4 or IPv6 fixed addresses in a specific network



RO






Administrative Permissions for IPv4 or IPv6 Fixed Addresses and IPv4 Reservations

IPv4 and IPv6 fixed addresses and IPv4 reservations inherit the permissions of the networks in which they reside. You can override network-level permissions by defining permissions for fixed addresses.
You can grant read-only or read-write permission, or deny access to fixed addresses, as follows:

  • All IPv4 fixed addresses/reservations—Global permission that applies to all IPv4 fixed addresses and reservations in the database.
  • All IPv6 fixed addresses—Global permission that applies to all IPv6 fixed addresses in the database.
  • All IPv4 fixed addresses/reservations in a network— Permissions at this level override global permissions. If you do not define permissions for fixed addresses and reservations, they inherit the permissions of the network in which they reside.
  • All IPv6 fixed addresses in a network— Permissions at this level override global permissions. If you do not define permissions for IPv6 fixed addresses, they inherit the permissions of the network in which they reside.
  • A single IPv4 fixed address/reservation—Overrides global and network-level permissions.
  • A single IPv6 fixed address—Overrides global and network-level permissions.

For information on setting permissions for fixed addresses, see Applying Permissions and Managing Overlaps.
The following table lists the tasks admins can perform and the required permissions for IPv4 and IPv6 fixed addresses.

Table 4.20 Permissions for Fixed Addresses/Reservations









Tasks

Specific IPv4 or IPv6 Network

All IPv4 or IPv6 fixed Addresses/ IPv4 Reservations

Specific IPv4 or IPv6 Fixed Address/ IPv4 Reservation

Create, modify, and delete IPv4 fixed addresses/reservations or IPv6 fixed addresses


RW


Create, modify, and delete IPv4 fixed addresses/reservations or IPv6 fixed addresses in a specific network

RW



Modify and delete an IPv4 fixed address/reservation or IPv6 fixed address



RW

View and search for all IPv4 fixed addresses/reservations or IPv6 fixed addresses


RO


View and search for IPv4 fixed addresses/reservations or IPv6 fixed addresses in a network

RO

RO


View and search for an IPv4 fixed address/reservation or IPv6 fixed address



RO


Administrative Permissions for IPv4 or IPv6 DHCP Enabled Host Addresses
A read-write permission to IPv4 or IPv6 Host Address gives limited-access users the ability to create, modify, and delete IPv4 and IPv6 DHCP enabled host addresses in a specified network. Admin users with a read-write permission can create, modify, and delete IPv4 or IPv6 DHCP enabled host addresses only in the specified network. They do not have the ability to create, modify or delete any networks or objects, such as fixed addresses, in those networks.
You can also grant admin users read-only permission or deny access to the following:

  • IPv4 Host Address—Object permission that applies to all IPv4 DHCP enabled host addresses in a specified network.
  • IPv6 Host Address—Object permission that applies to all IPv6 DHCP enabled host addresses in a specified network.

For information about setting permissions for DHCP enabled host addresses, see Applying Permissions and Managing Overlaps.
The following table lists tasks that admins can perform and the required permissions for IPv4 and IPv6 DHCP enabled host addresses.

Table 4.21 Permissions for DHCP Enabled Host Addresses








Tasks

Specific IPv4 or IPv6 Network

All IPv4 or IPv6 DHCP enabled host Addresses

Create, modify, and delete IPv4 or IPv6 DHCP enabled host addresses in a specified network


RW

Modify and delete a specific IPv4 or IPv6 DHCP enabled host address


RW

View and search for all IPv4 or IPv6 DHCP enabled host addresses


RO

View and search for IPv4 or IPv6 DHCP enabled host addresses in a specified network


RO


Administrative Permissions for IPv4 and IPv6 DHCP Ranges
DHCP ranges inherit the permissions of the networks in which they reside. You can override network-level permissions by defining permissions for DHCP ranges. You can read-only or read/write permission, or deny access to DHCP address ranges, as follows:

  • All IPv4 or IPv6 DHCP ranges—Global permission that applies to all IPv4 or IPv6 DHCP ranges in the database.
  • All IPv4 or IPv6 DHCP ranges in a network—Permissions at this level override global permissions. If you do not define permissions for DHCP ranges, they inherit the permissions of the network in which they reside.
  • A single IPv4 or IPv6 DHCP range—Overrides global and network-level permissions.

For information on setting permissions for DHCP ranges, see Applying Permissions and Managing Overlaps. The following table lists the tasks admin can perform and the required permissions for DHCP ranges.

Table 4.22 DHCP Ranges

Tasks

Grid Member(s)


Specific IPv4 or IPv6 Network

All DHCP IPv4 or IPv6 Ranges

Specific IPv4 or IPv6 DHCP Range

MAC Address Filter

Create, modify, and delete IPv4 or IPv6 DHCP ranges with an assigned member or a failover association

RW


RW



Create, modify, and delete IPv4 or IPv6 DHCP ranges in a network with assigned members

RW

RW




Modify and delete an IPv4 or IPv6 DHCP range with an assigned member

RW



RW


View and search for all IPv4 or IPv6 DHCP ranges with an assigned member

RO



RO


View and search for IPv4 or IPv6 DHCP ranges in a network with assigned members

RO

RO




View and search for an IPv4 or IPv6 DHCP range with an assigned member

RO



RO


View and search for an IPv4 or IPv6 DHCP range without an assigned member




RO


Apply relay agent and option filters to an IPv4 DHCP range




RW


Apply a MAC address filter to an IPv4 DHCP range




RW

RO

Administrative Permissions for IPv4 or IPv6 DHCP Templates

There are three types of DHCP templates for IPv4 and IPv6 objects—network, DHCP range, and fixed address/reservation templates. To access any of these templates, a limited-access admin group must have read-only permission to the template. Limited-access admin groups cannot have read/write permission to the templates. Only superusers can create, modify and delete network, DHCP range, and fixed address templates. An admin group with read-only permission to the DHCP templates can view them and use them to create networks, DHCP ranges and fixed addresses, as long as they have read/write permissions to those DHCP resources as well.
You can set global read-only permission that applies to all DHCP templates, and you can set permissions to specific templates as well.
For information on setting permissions, see Applying Permissions and Managing Overlaps. The following table lists the tasks admins can perform and the required permissions for DHCP templates.

Table 4.23 Permissions for DHCP Templates

Tasks

IPv4 or IPv6 DHCP Templates

All IPv4 or IPv6 Networks

All IPv4 or IPv6 DHCP Ranges

All IPv4 or IPv6 Fixed Addresses/ IPv4 Reservations

Create IPv4 or IPv6 networks from templates

RO

RW



Create IPv4 or IPv6 DHCP ranges from templates

RO


RW


Create IPv4 fixed addresses/reservations or IPv6 fixed addresses from templates

RO



RW

View templates

RO





Note the following additional guidelines:

  • DHCP range templates and fixed address templates do not inherit their permissions from network templates. You must set permissions for each type of template.
  • An admin group can create a network using a network template that includes a DHCP range template and a fixed address template, even if it has no permission to access the DHCP range and fixed address templates.

Administrative Permissions for Roaming Hosts

Limited-access admin groups can access roaming hosts only if their administrative permissions are defined. The appliance denies access to roaming hosts for which an admin group does not have defined permissions.
You can grant read-only or read/write permission, or deny access to roaming hosts as follows:

  • All roaming hosts in the database—Global permission that applies to all the roaming hosts in the database.
  • A specific roaming host—Permissions that applies to specific roaming host.

For information on setting permissions, see Applying Permissions and Managing Overlaps. The following table lists the tasks admins can perform and the required permissions for roaming host.

Table 4.24 Permissions for Roaming Hosts

Tasks

Grid DHCP Properties

Specific IPv4 or IPv6 Roaming Host

All Roaming Host

Enable roaming hosts

RW



View roaming host

RO

RO

RO

Create, modify, and delete roaming hosts

RO


RW

Modify and delete roaming host

RO

RW



Administrative Permissions for MAC Address Filters
Limited-access admin groups can access MAC address filters only if their administrative permissions are defined. The appliance denies access to MAC address filters for which an admin group does not have defined permissions.
You can grant read-only or read/write permission, or deny access to MAC address filters as follows:

  • All MAC address filters in the database
  • A specific MAC address filter

For information on setting permissions, see Applying Permissions and Managing Overlaps. The following table lists the tasks admins can perform and the required permissions for MAC address filters.

Table 4.25 Permissions for MAC Filters

Tasks

All MAC Address Filters

Specific MAC Address Filter

Specific IPv4 DHCP Ranges

Create, modify, and delete MAC address filters

RW



Create, modify, and delete MAC address entries for a MAC address filter


RW


Modify and delete a MAC address filter


RW


Apply a MAC address filter to an IPv4 DHCP range


RO

RW

Delete a MAC address filter from an IPv4 DHCP range


RO

RW

View MAC address filters and their MAC address entries

RO



View a MAC address filter and its MAC address entries


RO



Administrative Permissions for the IPv4 and IPv6 DHCP Lease Histories
A limited-access admin group can view and export the IPv4 and IPv6 DHCP lease histories if it has read-only permission to the IPv4 and IPv6 DHCP lease history. Permissions to the IPv4 and IPv6 DHCP lease histories are different from the network permissions. Therefore, an admin group can access the IPv4 and IPv6 DHCP lease histories, regardless of its network permissions. Note that only superusers can import a DHCP lease history file.
To define permissions for the IPv4 and IPv6 DHCP lease histories:

  1. For an admin group: From the Administration tab, select the Administrators tab -> Permissions tab -> admin_group in the Groups table, and then click the Add icon -> Global Permissions from the Create New Permission area or select Add -> Global Permissions from the Toolbar.
    or
    For an admin role: From the Administration tab, select the Administrators tab -> Permissions tab -> admin_role in the Roles table, and then click Add icon -> Global Permissions from the Create New Permission area or select Add -> Global Permissions from the Toolbar.
  2. Complete the following in the Manage Global Permissions dialog box:
    • Permission Type: Select DHCP Permissions from the drop-down list.
    • In the table, select Read/Write, Read-only, or Deny for All IPv4 DHCP Lease History and All IPv6 DHCP Lease History.
  3. Save the configuration and click Restart if it appears at the top of the screen.
  • No labels

This page has no comments.