Page tree

Contents

Limited-access admin groups can access certain IPAM resources only if their administrative permissions are defined. By default, the appliance denies access when a limited-access admin group does not have defined permissions. You can grant admin groups read-only or read/write permission, or deny access to the following IPAM resources:

  • Network views
  • IPv4 networks
  • IPv6 networks
  • Hosts

The appliance applies permissions for IPAM resources hierarchically. Permissions to a network view apply to all networks and resources in that view. You can also grant an admin group broad permissions to IPAM resources, such as read/write permission to all IPv4 networks and IPv6 networks in the database. In addition, you can grant permission to a specific host in a network. Permissions at more specific levels override global permissions.
The following sections describe the types of permissions that you can set for IPAM resources:

Administrative Permissions for IPv4 and IPv6 Networks

Limited-access admin groups can access IPv4 and IPv6 networks only if their administrative permissions are defined. Permissions for a network apply to all its DNS and DHCP resources, if configured. To override network-level permissions, you must define permissions for specific objects within the networks. You can also define permissions for specific DHCP objects and Grid member to restrict admins to perform only the specified DHCP tasks on the specified member. For more information, see Defining DNS and DHCP Permissions on Grid Members.
You can grant read-only or read/write permission, or deny access to networks, as follows:

  • All IPv4 or IPv6 networks—Global permission that applies to all networks in the database.
  • A specific network—Network permissions apply to all objects in the network. This overrides global permissions.
  • A specific network on a specific member—Network permissions apply to all objects in the network and member permissions apply to the specific member. For information about member permissions, see Modifying Permissions on a Grid Member.

Administrative Permissions for Hosts

A host record can contain both DNS and DHCP attributes if you configure them. When applying administrative permissions to host records, the permissions apply to all relevant DNS and DHCP resources within the host records. You can define global permissions to all hosts. To override global permissions, you must define permissions for specific hosts.
You can grant read-only or read/write permission, or deny access to host records, as follows:

  • All hosts—Global permission that applies to all host records in the Grid.
  • A specific host—Object permission that applies only to a selected host.

Administrative Permissions for DHCP Fingerprint Permissions

NIOS provides a global permission for all All DHCP Fingerprints; however, it does not support object level permissions for fingerprints. To use fingerprint filters, you must have superuser privileges.

Administrative Permissions for Network Insight Tasks

Table 4.12 summarizes the permissions you need to perform various tasks related to device discovery.
Table 4.12 Permissions for Network Discovery





Tasks

Network Discovery

DNS Zones

Networks Selected for Discovery


Port Control


All Network Views/ All IPv4 Networks/ All IPv6 Networks

Permissions for Object

Initiate and control a discovery on selected networks

RW


RW




View discovered data



RO




Resolve conflicting IP addresses



RW




Convert unmanaged objects to a host, fixed address, reservation, A record, or PTR record


RW

RW




Configure device interfaces, provision networks on interfaces

RW



RW



Configure a Blackout schedule for networks or DHCP ranges

RW




RO


Creating/editing port reservations for a Grid member, host, fixed address, reservation, A record, or PTR record


RW
RO