06-28-2023 01:55 PM
We have a cname that many other cnames are pointing to that was deleted recently. Is there a way to lock specific records from deletion, even by admins/superusers or at least have a prompt to unlock before deletion? Looking to prevent this from happening in the future for a select few records.
10-20-2023 12:49 AM
You can't stop a superuser from deleting that record. You could put a warning text in the comment field, but that is about it I believe.
You can stop any other admin from deleting that record though. I just created a user in my lab with the default role 'DNS Admin'. In the permission profile I added an object permission on a specific CNAME with permission read-only. This administrator was able to make any change to the zone, except for editing / deleting this CNAME record.
In your case, a solution would be to create a role with every permission on read-write, except for this one specific object permission. Then change your superuses from superuser to this role.
I would advise to keep one superuser account with a long and secure password and put it in a vault