none
IPAM Configuration and permissions RRS feed

  • Question

  • Hi experts,

    I am new to IPAM and new administrator of this deployment. Previous admin quit and now I need to take over. I am trying to configure permissions so that users who will help me don't have full access and I want to decide who will have access to what. I can only see IPAM Admin, IPAM ASM, Audit, MSM and User Group and I need to know in which group should I add users to give
    specific permissions for dhcp and dns and whole IPAM and how to test this out.

    Monday, July 3, 2017 9:32 AM

Answers

  • Hi,

    What do you mean by specific permissions? If you want for example to give permissions for only one scope, one dns zone etc. you will need to use RBAC instead of local administrative groups.

    ------------------------------------------------------------------------------------------------------------
    If you found this post helpful, please give it a "Helpful" vote. 
    Please remember to mark the replies as answers if they help.

    nedimmehic.org

    • Marked as answer by ChristerV Monday, July 3, 2017 1:11 PM
    Monday, July 3, 2017 9:39 AM
  • Hi,

    It is very important and I recommend that you learn about product not only IPAM but any product that you want to implement before you implement/take over it. I would recommend that you learn RBAC (Role based access control) and the whole IPAM before start using it. 
    If you login to your IPAM server and click on Access Control you will see 3 core components: Roles, Access Scopes and Access Policies

    The core concept of RBAC is what you can do and where you can do it. 


    ROLES –> are collections of privileges. They specify the tasks that can be performed, in another words what user will be able to do. 

    ACCESS SCOPES –> determine how far and wide a particular role can go in the server. So if the Role is the what, the Access Scope is the where

    ACCESS POLICIES –> are the combination of roles and access scopes.

    So if you want to give special permissions you would need to configure it under access control and not under local groups. 

    ------------------------------------------------------------------------------------------------------------
    If you found this post helpful, please give it a "Helpful" vote. 
    Please remember to mark the replies as answers if they help.

    nedimmehic.org


    • Edited by Nedim Mehic Monday, July 3, 2017 9:56 AM
    • Marked as answer by ChristerV Monday, July 3, 2017 1:11 PM
    Monday, July 3, 2017 9:55 AM
  • Builtin roles cannot be edited. You will need to create your own roles and go further into specifically determining exactly what actions that person should be able to do if builtin does not fit. global access scope means that there is a list of tasks that you can perform and you can perform it over any server, zone, scope that IPAM can manage. That is what GLOBAL means. You will need to create new access scope to limit the access. 

    ------------------------------------------------------------------------------------------------------------
    If you found this post helpful, please give it a "Helpful" vote. 
    Please remember to mark the replies as answers if they help.

    nedimmehic.org


    • Marked as answer by ChristerV Monday, July 3, 2017 1:11 PM
    Monday, July 3, 2017 11:08 AM
  • Those parts are empty because you didn't create block or IP address. If you have everything running and not planing to add ip block or to manage individual ip addresses with ipam then you don't need to think about those parts. 

    ------------------------------------------------------------------------------------------------------------
    If you found this post helpful, please give it a "Helpful" vote. 
    Please remember to mark the replies as answers if they help.

    nedimmehic.org

    • Marked as answer by ChristerV Monday, July 3, 2017 1:12 PM
    Monday, July 3, 2017 12:27 PM

All replies

  • Hi Nedim,
    Thank you for prompt reply. What is RBAC? Yes I would like to configure specific permissions so that users in one site can administer only their DHCP and DNS servers and I want to play with this to see what I can do. I need to restric permissions so that only me can do everything. 
    • Edited by ChristerV Monday, July 3, 2017 9:45 AM
    Monday, July 3, 2017 9:45 AM
  • I know that but guy who was responsible for this quit and now I need to take over. Thank you for explanantion. I can see that not a one of the roles can be edited. If I click for example on IPAM DHCP admin role I would like to disable few options. Even if this is admin role I want to choose what dhcp admin can do. How to edit this? 

    Second question is about access scope. When I click on Access Scope, I can see Global. Even if I click on dhcp scope or dns zone it has global scope. What that means? 

    Monday, July 3, 2017 10:47 AM
  • Builtin roles cannot be edited. You will need to create your own roles and go further into specifically determining exactly what actions that person should be able to do if builtin does not fit. global access scope means that there is a list of tasks that you can perform and you can perform it over any server, zone, scope that IPAM can manage. That is what GLOBAL means. You will need to create new access scope to limit the access. 

    ------------------------------------------------------------------------------------------------------------
    If you found this post helpful, please give it a "Helpful" vote. 
    Please remember to mark the replies as answers if they help.

    nedimmehic.org


    • Marked as answer by ChristerV Monday, July 3, 2017 1:11 PM
    Monday, July 3, 2017 11:08 AM
  • Now I get it, thanks. Can you please tell me if I need to do something with IP Blocks and ip addresses. When I click on it nothing is under blocks and IP addresses. 
    Monday, July 3, 2017 11:49 AM
  • Those parts are empty because you didn't create block or IP address. If you have everything running and not planing to add ip block or to manage individual ip addresses with ipam then you don't need to think about those parts. 

    ------------------------------------------------------------------------------------------------------------
    If you found this post helpful, please give it a "Helpful" vote. 
    Please remember to mark the replies as answers if they help.

    nedimmehic.org

    • Marked as answer by ChristerV Monday, July 3, 2017 1:12 PM
    Monday, July 3, 2017 12:27 PM