Infoblox Exchange Cybersecurity Roadshow 2020 – Join us!
North America | Europe | Middle East/Africa | Asia-Pacific



Workflow 2.2 -- rights needed to be a requester

Posts: 181
745     0

Is there some more detailed documentation available than the Install and User Guide for the Workflow Snapin? I think I'm missing something in the configuration or in the overall intention of the program.I created a test user(test-user) that I want to just be a requester of host records. This would maybe be an admin that needs to setup a new server in a DMZ but doesn't have or need any rights in the Infoblox grid. I would want them to submit a request for a new IP and DNS name that would be reviewed and published by a Infoblox administrator at a later time.I created test-user on the grid and gave him the roll of Workflow-Requester. No other rights at all.With those rights test-user can log in to WorkFlow and get to the screen to request a host record. However, none of the subnet search features work. It is like he cannot see any of the networks search at the high level or to grab the next IP. I assumed that this searching would have been done by the user I provided in the but I guess not.So I gave test-user some read only rights to a few networks and now that part works, he could find networks and find and the next available IP. However, when I hit submit, I got the error, "Write permission for the resource record type 'HOST' in the zone '***.***.com' is required for this operation."Sure enough, if I give test-user access to write to the DNS zone and the network, he can submit a request and wait for the approval process in WorkFlow complete. Of course test-user can just log onto the grid and do the same work without any approval process at this point, which pretty much makes the approval process in Workflow pretty pointless.In reading through the description of Workflow, it sounds like the intention would be for "test-user" to only need minimal rights to be a "Requester". Do I have something miss configured that is not allowing the rights to flow through correctly? OR am i missing the intention of the Workflow Snapin.

Re: Workflow 2.2 -- rights

GHorne Community Manager
Community Manager
Posts: 248
745     0

you are correct, the permissions don't work as you expect. Your users would need rights to the zone and the network. This is the kind of feedback we are looking for and part of the reason the 2.2 is a 'Preview release'.

Some people want to disable the default account in WebConfig, because they consider it to be a security risk, and rely on users having all the required permissions. While others, such as yourself, need users with as little rights as possible, and an account that can proxy on their behalf.

both options are valid and we're not sure which one should be the default (yet)

One possiblilty would be to include a 'proxy_requests' configurable option, but I'm not sure where to put it in the code (yet), and how to keep it secure.

Re: Workflow 2.2 -- rights

Posts: 181
745     0
I have a better understanding now. My suggestion would be to have an account in the webconfig that is just read only. The webconfig account would have just enough to let each requester search the needed information, check for duplicates, ect. The publisher's account would be the only one with write access. The actual addition to the grid would be under the publisher's account with the requester's account info captured in the audit log or an extensible attribute. I would also suggest the ability to skip the reviewer step somehow. In our environment the review and publish step is generally the same person so the ability to skip the extra 'button push' would be nice.

how to create a new workflow for new ip request

Posts: 1
745     0
Can you some please assist me in creating a new work flow in this below scenario. 1. Will it be possible to integrate infoblox with our company AD 2. If user request for a new IP address how to create to a new workflow in infoblox 3. Do we need to create a local ID for a user in infoblox or our company AD ID will be enough

Re: how to create a new workflow for new ip request

Posts: 18
745     0

Have you got answer to you question?

Showing results for 
Search instead for 
Do you mean 

Recommended for You