Limited-access admin groups can access certain IPAM resources only if their administrative permissions are defined. By default, the appliance denies access when a limited-access admin group does not have defined permissions. You can grant admin groups read-only or read/write permission, or deny access to the following IPAM resources:
- Network views
- IPv4 networks
- IPv6 networks
The appliance applies permissions for IPAM resources hierarchically. Permissions to a network view apply to all networks and resources in that view. You can also grant an admin group broad permissions to IPAM resources, such as read/write permission to all IPv4 networks and IPv6 networks in the database. In addition, you can grant permission to a specific host in a network. Permissions at more specific levels override global permissions.
The following sections describe the types of permissions that you can set for IPAM resources:
- Administrative Permissions for Network Views
- Administrative Permissions for IPv4 and IPv6 Networks
- Administrative Permissions for Hosts
Administrative Permissions for IPv4 and IPv6 Networks
Limited-access admin groups can access IPv4 and IPv6 networks only if their administrative permissions are defined. Permissions for a network apply to all its DNS and DHCP resources, if configured. To override network-level permissions, you must define permissions for specific objects within the networks. You can also define permissions for specific DHCP objects and Grid member to restrict admins to perform only the specified DHCP tasks on the specified member. For more information, see Defining DNS and DHCP Permissions on Grid Members.
You can grant read-only or read/write permission, or deny access to networks, as follows:
- All IPv4 or IPv6 networks—Global permission that applies to all networks in the database.
- A specific network—Network permissions apply to all objects in the network. This overrides global permissions.
- A specific network on a specific member—Network permissions apply to all objects in the network and member permissions apply to the specific member. For information about member permissions, see Modifying Permissions on a Grid Member.
Administrative Permissions for Hosts
A host record can contain both DNS and DHCP attributes if you configure them. When applying administrative permissions to host records, the permissions apply to all relevant DNS and DHCP resources within the host records. You can define global permissions to all hosts. To override global permissions, you must define permissions for specific hosts.
You can grant read-only or read/write permission, or deny access to host records, as follows:
- All hosts—Global permission that applies to all host records in the Grid.
- A specific host—Object permission that applies only to a selected host.
Administrative Permissions for DHCP Fingerprint Permissions
NIOS provides a global permission for all All DHCP Fingerprints; however, it does not support object level permissions for fingerprints. To use fingerprint filters, you must have superuser privileges.
Administrative Permissions for Network Insight Tasks
Table 4.12 summarizes the permissions you need to perform various tasks related to device discovery.
Table 4.12 Permissions for Network Discovery
Networks Selected for Discovery
Permissions for Object
Initiate and control a discovery on selected networks
View discovered data
Resolve conflicting IP addresses
Convert unmanaged objects to a host, fixed address, reservation, A record, or PTR record
Configure device interfaces, provision networks on interfaces
Configure a Blackout schedule for networks or DHCP ranges
|Creating/editing port reservations for a Grid member, host, fixed address, reservation, A record, or PTR record||RW||RO|