01-27-2017 11:34 AM
Is there a way to limit permissions for users to only create reservations/host entries/static addresses throughout a given subnet, and not have to give them permissions alter the network itself? After some testing I'm finding that the only way to give a user permission to alter or "mark" an ip as used (host entry, reservation,fixed address) you have to give them write permissions to that network, which also allows them to delete that network as well. I don't want to give permissions to specific users to alter networks, but I want to allow them to be able to mark addresses as used whenever they prefer.
Is there a way to do this wihtout allowing that user to alter the network itself?
Solved! Go to Solution.
01-30-2017 07:52 AM - edited 01-30-2017 07:54 AM
The change must be done to each network individually, I have a perl script that runs though our networks and assigns LDAP groups specific rights, to specific networks, by matching EA's.
The network gets read only,
The DHCP range, we allow read write access so that the admin's can make option changes, they can also delete the range which they have done from time to time, but they tend to learn quickly.
Then within the network we give them read write to hosts, A, PTR, reservations, etc as needed.
There are some options within the grid on inheritance of the host, A, and PTR write rights and what that means to the in the DNS zones that are in that network. A quick scan of the admin guide didn't turn it up but I remember some decisions and options around giving rights at the network level to edit DNS and if you also needed to give rights within the specific DNS zones or not. That was a one time, grid wide check box as I remember.
This works well, a site or region can only see their neworks if you get the rights correct.
This makes the GUI painfully slow for them, but it does work. A user with this kind of access will take about 2 -3 minutes from login to get to the IPAM tab and load their subset of the the networks. Once they are in and working it is better but expect every screen load to be 2-4 times slower than for a super user.
02-02-2017 02:29 PM
Super reply. thank you so much. What version fo code are you running that it is so slow and have you alway sseen this? It must be due to the permissions checking?
02-06-2017 07:32 AM
This configuration has been slower than we would like since we started our grid ~7 years ago.
With 2000-A's and early in the 6.X line of NIOS we started to ask questions.
Then the TE-4010's were the fix.
Then the 7.X code.
then 7.3 code.
There have been small improvements over time. Sometimes getting back up to what we consider nearly useful \ tolerable when compared to what a super user experiences. But as the grid has grown and we have turned on more features, the speed of the GUI for the restricted access users has been a consistent issue. It’s not directly a CPU issue with the GM. It’s slow when there is only one user logged in and the CPU is around 10%. It is not noticeably different when there are 15 people logged in at the CPU is spiking to 50%. It seems to be something in the way the rights are handled and the networks are shown in the GUI that seems to be inherent in the design.
02-14-2018 03:36 PM
The grid-wide flag is:
Enable DNS Object Permissions in Networks and Ranges
It is set in the Grid Properties under General / Advanced.