Skip to content

Latest commit

 

History

History
254 lines (170 loc) · 8.06 KB

access_control_example.rst

File metadata and controls

254 lines (170 loc) · 8.06 KB
Raw

Role-based access example

Note

Access management has changed in Micetro 10.1. To view the access management example used in previous versions, switch to the appropriate version number using the version selector.

Introduction

This article aims to provide practical information on acl-roles and detailed, step-by-step breakdowns for two scenarios: creating a new, read-only role for DHCP scopes, and using the built-in DNS viewers role to set up a DNS read-write role.

The information on this page, and the how-tos presented, will provide a blueprint to customize Micetro to your requirements.

Built-in roles

The seven built-in-roles have been designed to cover most use cases for access control in Micetro. The access settings for the built-in roles can't be modified.

Tip

Built-in roles are all acl-general-roles and applied to all objects in Micetro, existing or future.

Example: adding a user or group to the Administrators (built-in) role, the user (or group members) automatically gain administrative access to all objects in Micetro.

User defined roles

As all DDI environments are different, Micetro allows creating flexible user-defined roles.

Tip

Creating new roles requires the Administer users/groups permission.

There are two ways of creating new roles in Micetro:

  1. (Preferred) Duplicate an existing role and edit the permissions. See duplicate-role.
  2. Create a completely new role. See new-role.

Tip

Men&Mice recommends using the built-in roles as templates and modifying the permission set for the duplicate roles.

Example role configuration: DNS zone read-write

The following steps illustrate how to create a read-write role in Micetro for DNS zones, using a built-in role as a template.

Tip

Using existing roles as templates makes refining access controls easier, as you can both copy over permissions and users / groups.

  1. Log in to the Web Application.

image

  1. Navigate to Admin --> Configuration --> Access Management and select Roles.

image

  1. Press the Create button and select From existing role.

image

  1. From the dropdown Select an existing role, click on DNS Viewers (built-in).

Tip

If you have the role selected in the grid, From existing role will automatically fill in the value for convenience.

image

  1. Edit the Role name.

image

Note

When duplicating a role, editing the Description is not available until the new role is created.

  1. Select what to copy from the existing role: Permissions (default), Groups, and/or Users.

image

Note

Duplicating roles will automatically set the role type to General.

  1. Click Create to save the new role.

After saving the new role, Micetro will automatically display the Edit role properties dialog for it.

image

  1. Switch over to the Access tab and enable the following permission:
Group Permission
DNS servers Add master zones
DNS servers Add non-master zones
DNS zones Edit zone access
DNS zones List (or view) zone
DNS zones View zone history
DNS zones Enable/disable zone
DNS zones Edit zone options
DNS zones Delete zone
DNS zones Enable/disable apex records
DNS zones Edit apex records
DNS zones Enable/disable wildcard records
DNS zones Edit wildcard records
DNS zones Enable/disable other records
DNS zones Edit other records
DNS zones Edit zone properties

image

Tip

Clicking the checkbox next to the DNS zones group will automatically select all permissions within the group.

Tip

For a handy reference for available permissions, see permissions-reference.

  1. (Optional) Switch to the Groups tab and select the group(s) you'd like to assign to the role.

image

  1. (Optional) Switch to the Users tab and select the user(s) you'd like to assign to the role.

image

Tip

Users and groups can be assigned to and removed from roles at any time.

  1. Click Save to update the role settings.

Example role configuration: DHCP read-only

This

The following steps illustrate how to create a new, read-only role in Micetro for DHCP scopes only, without using the built-in role templates.

  1. Log in to the Web Application.

image

  1. Navigate to Admin --> Configuration --> Access Management and select Roles.

image

  1. Press the Create button and select New role

image

  1. Specify the Role name, e.g. DHCP Read-Only and add a Description.

image

Tip

Using descriptive names and clear text for the description makes access management easier.

  1. Choose between the General or Specific role types.

image

Note

The preferred role type in Micetro is the acl-general-roles. Specific roles exist to preserve backwards compatibility and added flexibility to edge use cases.

  1. Switch over to the Access tab and enable the following permission:
Group Permission
Ranges and DHCP scopes Read scope options

image

  1. Notice that a blue (i) indicator appears on the top right. Hovering over will show that in order for the selected permissions to take effect, additional permissions will be set:
Group Permission
Micetro Access to the web interface
Micetro Access IPAM module
Micetro Access to IPAM view in web interface
DHCP servers List (or view) DHCP server
Ranges and DHCP scopes List (or view) range
Address spaces List (or view) address space

image

Tip

Micetro will automatically enable these permissions upon saving the new role. You can check the permissions granted to the role by switching to View defined using the radio button.

Tip

For a handy reference for available permissions, see permissions-reference.

  1. (Optional) Switch to the Groups tab and select the group(s) you'd like to assign to the role.

image

  1. (Optional) Switch to the Users tab and select the user(s) you'd like to assign to the role.

image

Tip

Users and groups can be assigned to and removed from roles any time.

  1. Click Create to create the role.