06-27-2018 03:41 AM
Is it possible?
My use case:
I have an Approvers and a Submitters admin groups. When a Submitter creates a scheduled task, someone from the Approvers admin group can approve it.
But I want to narrow down the Approvers permissions. Only a particular Approver to be able to approve a request based on the extensible attributes of the request.
A submitter submits a request via the WAPI to delete a host:record. Because the submitter is part of the Submitters group and the Submitters group is used in a Workflow, a scheduled task is created, waiting to be approved. The affected record:host object has few extensible attributes, one of which is named approver (string) and holds the email address of the person who is responsible for approving this particular request.
The question: How can I restrict the Approvers, so only the one listed in the approver EA to have the permission to approve the request.
Solved! Go to Solution.
06-29-2018 05:51 AM
Infoblox includes RBAC (role-based access controls) and not ABAC (attribute-based access controls). If you wanted to implement something similar to what you indicate in your request, you would need to do so via the API.
To accomplish this, you could restrict the approvers to use ONLY the API and then have an API call look for items that need approval AND have a specific EA match. Then you could present the approver with the list of actions to approve and use an API call to accept/reject accordingly.
06-29-2018 06:54 AM
Thank you, the ABAC is what I need, but can't figure out where and how to configure it.
When configuring Roles and Permissions I have two options - Global and Object permissions.
How to configure an Attribute based permission - The approver must be able to action only on objects that have particular EA set?
06-29-2018 07:37 AM
In my previous reply, I indicated that Infoblox does not offer ABAC. At least, not through any built-in logic. That's where the discussion of using the API comes in. You could leverage the API to build in your own logic, to include some form of ABAC, and then handle things from there. RBAC would still be behind the scenes but if you follow the example I provided, that's one way that you could potentially address your ABAC requirement.
Basically, your API calls would need to pull out the data that was pending some workflow approval where EA=<filtered_value> and then process accordingly. Another option, without relying on the API, is to potentially leverage the target EA as a field that always gets added to the audit log and then forward the audit log to some type of orchestration tool (like ServiceNow) and have the orchestration tool provide the additional logic to implement the permissioning the way you want. An action there would then use the API to trigger the approval or rejection accordingly.
There are multiple potential methods of addressing this type of request but you would have to do so outside of the Infoblox GUI. The Infoblox GUI leverages only the ability to control access via RBAC.
06-29-2018 07:38 AM
I would suggest reaching out to your sales team for assistance. They may be able to recommend some different strategies or put you in touch with the PS team for assistance in building out what you need.