Note
Access management has changed in Micetro 10.1. To view the access management example used in previous versions, switch to the appropriate version number using the version selector.
This article aims to provide practical information on acl-roles
and detailed, step-by-step breakdowns for two scenarios: creating a new, read-only role for DHCP scopes, and using the built-in DNS viewers role to set up a DNS read-write role.
The information on this page, and the how-tos presented, will provide a blueprint to customize Micetro to your requirements.
The seven built-in-roles
have been designed to cover most use cases for access control in Micetro. The access settings for the built-in roles can't be modified.
Tip
Built-in roles are all acl-general-roles
and applied to all objects in Micetro, existing or future.
Example: adding a user or group to the Administrators (built-in) role, the user (or group members) automatically gain administrative access to all objects in Micetro.
As all DDI environments are different, Micetro allows creating flexible user-defined roles.
Tip
Creating new roles requires the Administer users/groups permission.
There are two ways of creating new roles in Micetro:
- (Preferred) Duplicate an existing role and edit the permissions. See
duplicate-role
. - Create a completely new role. See
new-role
.
Tip
Men&Mice recommends using the built-in roles as templates and modifying the permission set for the duplicate roles.
The following steps illustrate how to create a read-write role in Micetro for DNS zones, using a built-in role as a template.
Tip
Using existing roles as templates makes refining access controls easier, as you can both copy over permissions and users / groups.
- Log in to the Web Application.
- Navigate to
Admin --> Configuration --> Access Management
and selectRoles
.
- Press the
Create
button and selectFrom existing role
.
- From the dropdown Select an existing role, click on
DNS Viewers (built-in)
.
Tip
If you have the role selected in the grid, From existing role will automatically fill in the value for convenience.
- Edit the Role name.
Note
When duplicating a role, editing the Description is not available until the new role is created.
- Select what to copy from the existing role: Permissions (default), Groups, and/or Users.
Note
Duplicating roles will automatically set the role type to General.
- Click
Create
to save the new role.
After saving the new role, Micetro will automatically display the Edit role properties dialog for it.
- Switch over to the
Access
tab and enable the following permission:
Group | Permission |
---|---|
DNS servers | Add master zones |
DNS servers | Add non-master zones |
DNS zones | Edit zone access |
DNS zones | List (or view) zone |
DNS zones | View zone history |
DNS zones | Enable/disable zone |
DNS zones | Edit zone options |
DNS zones | Delete zone |
DNS zones | Enable/disable apex records |
DNS zones | Edit apex records |
DNS zones | Enable/disable wildcard records |
DNS zones | Edit wildcard records |
DNS zones | Enable/disable other records |
DNS zones | Edit other records |
DNS zones | Edit zone properties |
Tip
Clicking the checkbox next to the DNS zones group will automatically select all permissions within the group.
Tip
For a handy reference for available permissions, see permissions-reference
.
- (Optional) Switch to the
Groups
tab and select the group(s) you'd like to assign to the role.
- (Optional) Switch to the
Users
tab and select the user(s) you'd like to assign to the role.
Tip
Users and groups can be assigned to and removed from roles at any time.
- Click
Save
to update the role settings.
This
The following steps illustrate how to create a new, read-only role in Micetro for DHCP scopes only, without using the built-in role templates.
- Log in to the Web Application.
- Navigate to
Admin --> Configuration --> Access Management
and selectRoles
.
- Press the
Create
button and selectNew role
- Specify the Role name, e.g.
DHCP Read-Only
and add a Description.
Tip
Using descriptive names and clear text for the description makes access management easier.
- Choose between the General or Specific role types.
Note
The preferred role type in Micetro is the acl-general-roles
. Specific roles exist to preserve backwards compatibility and added flexibility to edge use cases.
- Switch over to the
Access
tab and enable the following permission:
Group | Permission |
---|---|
Ranges and DHCP scopes | Read scope options |
- Notice that a blue
(i)
indicator appears on the top right. Hovering over will show that in order for the selected permissions to take effect, additional permissions will be set:
Group | Permission |
---|---|
Micetro | Access to the web interface |
Micetro | Access IPAM module |
Micetro | Access to IPAM view in web interface |
DHCP servers | List (or view) DHCP server |
Ranges and DHCP scopes | List (or view) range |
Address spaces | List (or view) address space |
Tip
Micetro will automatically enable these permissions upon saving the new role. You can check the permissions granted to the role by switching to View defined
using the radio button.
Tip
For a handy reference for available permissions, see permissions-reference
.
- (Optional) Switch to the
Groups
tab and select the group(s) you'd like to assign to the role.
- (Optional) Switch to the
Users
tab and select the user(s) you'd like to assign to the role.
Tip
Users and groups can be assigned to and removed from roles any time.
- Click
Create
to create the role.