12-01-2016 08:52 AM
Looking for a way to limit an API user to be able to create DNS records and then only be able to modify the records they created. I can see that after a record is created manually you can then restrict a user account to only have RW access to that record, but want the user to be able to create records as well, while at the same time limit their ability to potentially modify or delete any other records not otherwise associated with their application. Has anyone been able to get this granular via WAPI?
Solved! Go to Solution.
12-01-2016 02:33 PM
We are contemplating either creating user accounts per application or business unit so the number can be upwards of 20 plus.
12-02-2016 05:44 AM
Here’s something you can try…IF the users are issuing the queries directly you will have limits since they would effectively need higher level permissions to the parent (zone or network) to do the creation to begin with.
IF the users are using some kind of portal (customized interface) to submit the request, you could have the portal use elevated permissions to not only create the object but then also use the API to set the appropriate permissions to the group that the user belongs to. Another option is to leverage extensible attributes for this and have your portal filter based on EA values.
There may be a few other ideas from some others but this might be something to help you get the creative juices flowing.
12-05-2016 08:15 AM
Thank you. I'll follow-up on these recommendations. Specifically on how we might be able to leverage the extensible attributes.