08-13-2012 11:32 AM
Is there some more detailed documentation available than the Install and User Guide for the Workflow Snapin? I think I'm missing something in the configuration or in the overall intention of the program.I created a test user(test-user) that I want to just be a requester of host records. This would maybe be an admin that needs to setup a new server in a DMZ but doesn't have or need any rights in the Infoblox grid. I would want them to submit a request for a new IP and DNS name that would be reviewed and published by a Infoblox administrator at a later time.I created test-user on the grid and gave him the roll of Workflow-Requester. No other rights at all.With those rights test-user can log in to WorkFlow and get to the screen to request a host record. However, none of the subnet search features work. It is like he cannot see any of the networks search at the high level or to grab the next IP. I assumed that this searching would have been done by the user I provided in the webconfig.pm but I guess not.So I gave test-user some read only rights to a few networks and now that part works, he could find networks and find and the next available IP. However, when I hit submit, I got the error, "Write permission for the resource record type 'HOST' in the zone '***.***.com' is required for this operation."Sure enough, if I give test-user access to write to the DNS zone and the network, he can submit a request and wait for the approval process in WorkFlow complete. Of course test-user can just log onto the grid and do the same work without any approval process at this point, which pretty much makes the approval process in Workflow pretty pointless.In reading through the description of Workflow, it sounds like the intention would be for "test-user" to only need minimal rights to be a "Requester". Do I have something miss configured that is not allowing the rights to flow through correctly? OR am i missing the intention of the Workflow Snapin.
08-13-2012 04:10 PM
you are correct, the permissions don't work as you expect. Your users would need rights to the zone and the network. This is the kind of feedback we are looking for and part of the reason the 2.2 is a 'Preview release'.
Some people want to disable the default account in WebConfig, because they consider it to be a security risk, and rely on users having all the required permissions. While others, such as yourself, need users with as little rights as possible, and an account that can proxy on their behalf.
both options are valid and we're not sure which one should be the default (yet)
One possiblilty would be to include a 'proxy_requests' configurable option, but I'm not sure where to put it in the code (yet), and how to keep it secure.
08-14-2012 05:42 AM
11-29-2014 11:14 PM