Role-based access example

Note

Access management has changed in Micetro 10.1. To view the access management example used in previous versions, switch to the appropriate version number using the version selector.

Introduction

This article aims to provide practical information on Roles and detailed, step-by-step breakdowns for two scenarios: creating a new, read-only role for DHCP scopes, and using the built-in DNS viewers role to set up a DNS read-write role.

The information on this page, and the how-tos presented, will provide a blueprint to customize Micetro to your requirements.

Built-in roles

The seven built-in-roles have been designed to cover most use cases for access control in Micetro. The access settings for the built-in roles can’t be modified.

Tip

Built-in roles are all General roles and applied to all objects in Micetro, existing or future.

Example: adding a user or group to the Administrators (built-in) role, the user (or group members) automatically gain administrative access to all objects in Micetro.

User defined roles

As all DDI environments are different, Micetro allows creating flexible user-defined roles.

Tip

Creating new roles requires the Administer users/groups permission.

There are two ways of creating new roles in Micetro:

  1. (Preferred) Duplicate an existing role and edit the permissions. See Duplicating a role.

  2. Create a completely new role. See Adding a new role.

Tip

Men&Mice recommends using the built-in roles as templates and modifying the permission set for the duplicate roles.


Example role configuration: DNS zone read-write

The following steps illustrate how to create a read-write role in Micetro for DNS zones, using a built-in role as a template.

Tip

Using existing roles as templates makes refining access controls easier, as you can both copy over permissions and users / groups.

  1. Log in to the Web Application.

../../../_images/acl-example-1-step-1.png
  1. Navigate to Admin ‣ Configuration ‣ Access Management and select Roles.

../../../_images/acl-example-1-step-2.png
  1. Press the Create button and select From existing role.

../../../_images/acl-example-1-step-3.png
  1. From the dropdown Select an existing role, click on DNS Viewers (built-in).

Tip

If you have the role selected in the grid, From existing role will automatically fill in the value for convenience.

../../../_images/acl-example-1-step-4.png
  1. Edit the Role name.

../../../_images/acl-example-1-step-5.png

Note

When duplicating a role, editing the Description is not available until the new role is created.

  1. Select what to copy from the existing role: Permissions (default), Groups, and/or Users.

../../../_images/acl-example-1-step-6.png

Note

Duplicating roles will automatically set the role type to General.

  1. Click Create to save the new role.

After saving the new role, Micetro will automatically display the Edit role properties dialog for it.

../../../_images/acl-example-1-step-7.png
  1. Switch over to the Access tab and enable the following permission:

Group

Permission

DNS servers

Add master zones

DNS servers

Add non-master zones

DNS zones

Edit zone access

DNS zones

List (or view) zone

DNS zones

View zone history

DNS zones

Enable/disable zone

DNS zones

Edit zone options

DNS zones

Delete zone

DNS zones

Enable/disable apex records

DNS zones

Edit apex records

DNS zones

Enable/disable wildcard records

DNS zones

Edit wildcard records

DNS zones

Enable/disable other records

DNS zones

Edit other records

DNS zones

Edit zone properties

../../../_images/acl-example-1-step-8.png

Tip

Clicking the checkbox next to the DNS zones group will automatically select all permissions within the group.

Tip

For a handy reference for available permissions, see Permissions reference.

  1. (Optional) Switch to the Groups tab and select the group(s) you’d like to assign to the role.

../../../_images/acl-example-1-step-9.png
  1. (Optional) Switch to the Users tab and select the user(s) you’d like to assign to the role.

../../../_images/acl-example-1-step-10.png

Tip

Users and groups can be assigned to and removed from roles at any time.

  1. Click Save to update the role settings.


Example role configuration: DHCP read-only

This

The following steps illustrate how to create a new, read-only role in Micetro for DHCP scopes only, without using the built-in role templates.

  1. Log in to the Web Application.

../../../_images/acl-example-1-step-1.png
  1. Navigate to Admin ‣ Configuration ‣ Access Management and select Roles.

../../../_images/acl-example-1-step-2.png
  1. Press the Create button and select New role

../../../_images/acl-example-2-step-3.png
  1. Specify the Role name, e.g. DHCP Read-Only and add a Description.

../../../_images/acl-example-2-step-4.png

Tip

Using descriptive names and clear text for the description makes access management easier.

  1. Choose between the General or Specific role types.

../../../_images/acl-example-2-step-5.png

Note

The preferred role type in Micetro is the General roles. Specific roles exist to preserve backwards compatibility and added flexibility to edge use cases.

  1. Switch over to the Access tab and enable the following permission:

Group

Permission

Ranges and DHCP scopes

Read scope options

../../../_images/acl-example-2-step-6.png
  1. Notice that a blue (i) indicator appears on the top right. Hovering over will show that in order for the selected permissions to take effect, additional permissions will be set:

Group

Permission

Micetro

Access to the web interface

Micetro

Access IPAM module

Micetro

Access to IPAM view in web interface

DHCP servers

List (or view) DHCP server

Ranges and DHCP scopes

List (or view) range

Address spaces

List (or view) address space

../../../_images/acl-example-2-step-7.png

Tip

Micetro will automatically enable these permissions upon saving the new role. You can check the permissions granted to the role by switching to View defined using the radio button.

Tip

For a handy reference for available permissions, see Permissions reference.

  1. (Optional) Switch to the Groups tab and select the group(s) you’d like to assign to the role.

../../../_images/acl-example-2-step-8.png
  1. (Optional) Switch to the Users tab and select the user(s) you’d like to assign to the role.

../../../_images/acl-example-2-step-9.png

Tip

Users and groups can be assigned to and removed from roles any time.

  1. Click Create to create the role.