Reply

Permissions for Individual Records

New Member
Posts: 3
12716     0

I am very familiar with the way permissions are defined in our running version of NIOS (7.3.18, plan to upgrade soon to 8.2.7) but I am curious if anybody found any clever work arounds to accomplish the following:

 

-Granting permissions to allow users to edit individual host records, *without* granting them full RW to the entire subnet/zone.

 

I have been asked by my organization to look into whether we can use the 'next available' function to allocate IP space to users for our VM infrastructure, while also allowing these users to edit the auto-generated host records. I have done some testing on my own, and as expected, cannot see a way to enable this functionality without also granting the user full RW permissions to the foward DNS zone, the network, and/or the reverse DNS zone (if defined).

 

If anybody has run into this same situation, please provide any insight you may have!

 

Thanks!

Re: Permissions for Individual Records

Adviser
Posts: 63
12716     0

You can set permissions on individual records.  The issue is that if the user uses the Infoblox Grid Manager GUI to update the record, they will need read only access to all parents of the record to browse to it.  The user would need read only access to the DNS View, the DNS Zone, any subzones if applicable, and finally Read/Write access to the record.

 

You might be able to get around that by using global search at the top right.  By searching, you're not navigating through the rest of the objects to get to the DNS record.

 

Oh, and if default permissions exist, you can negate them on the DNS record by setting permissions to DENY for the users/groups that would otherwise be inherited.

Re: Permissions for Individual Records

New Member
Posts: 3
12716     0

Understood... BUT ... if the user tried to edit said host record it would complain that they do not have WRITE permissions to whatever DNS zone or subnet that the host record is defined in ... so there is really no point to the host record being RW, since they cannot write anything without inherited permissions?

Re: Permissions for Individual Records

Adviser
Posts: 109
12717     0

@justintaylor9 wrote:

Understood... BUT ... if the user tried to edit said host record it would complain that they do not have WRITE permissions to whatever DNS zone or subnet that the host record is defined in ... so there is really no point to the host record being RW, since they cannot write anything without inherited permissions?


There are a couple of additional factors that might affect you here:

  • IPAM: The Host record will associate with the IP address. If you have a network defined, you may also need to give write access for that
  • Reverse DNS: The host record will abstract the reverse record. If the reverse mapping zone exists, you may also need to provide permissions there as well.

 

If you are enabling the Host record for DHCP and/or including a MAC address in it, you will definitely need write permissions on the network as well.

 

The alternative is to use an A record instead. That gives you the option to auto-create the corresponding PTR record when creating the A record, and would simplify management of permissions for you.

 

Hope this helps.

 

-Tony

Re: Permissions for Individual Records

Adviser
Posts: 63
12717     0

You are correct.  RW permissions to a HOST does not give the user permission to update the network, so RW permission is required for the network.  If the network does not exist in IPAM, it will likely be allowed.

 

I tested this in my lab and confirmed that HOST records cannot be updated without RW access to the network.

 

host-perm-error.jpg.png

 

In my test, a user with RW permission to only an A, CNAME, and HOST could only update the A and CNAME records.

 

The NIOS 8.2 Admin Guide does confirm:

 

When you enable new permissions, you can define the following permissions for
the admins to add, modify, and delete A, AAAA, PTR records and DNS hosts
that have associated IP addresses in a network container, network, or range:
— Read/write permission for the
specific records in the zone or a higher level DNS parent object.
and
— Read/write permission for the records in the specified network
container, network, or range to which the resources belong.

Showing results for 
Search instead for 
Did you mean: 

Recommended for You