Limit access to specific subnet or devicesCompleted
I would like to be able to allow my help desk to ONLY view and edit the IP addresses on a specific subnet. For example, I want my help desk to be able to view and edit ONLY the IP ranges that I have assigned to devices they manage like printers. Let's say they deploy a new printer, they should be able to go to that subnet that they have access to, add the IP address they used, and the device.
I need something very similar for Sys Admins. I have a single subnet that is assigned for servers so they'll need to be able to view and edit the IP addresses there. They will also need to be able to view and edit the servers in that subnet. However, they don't need access to the rest of my subnets or to edit my network devices.
It would be nice if we could limit the access not by "global permissions" like "Can view IP address, Subnet" because that's too global. Instead I would like to be able to say that a certain group "can view and edit" IP addresses on Subnet A for example. Same thing for devices...I'd want to be able to say the SysAdmin group have permissions to view and edit IP addresses and devices that are in their assigned objects.
Maybe create a way to group resources such as devices, subnets, etc into a single container which we can then use to add permissions to? So for example create a container called "SysAdmin Resources", add my server subnet to it, and the ability to add devices that fall within that IP range?
I'm open for suggestions on how to make this work better for everyone. This is just from the top of my head but basically what I want is to not give people wholesale permissions to everything and instead restrict based on what they need. This least privilege approach is really important for certain "high security" sectors in IT so this would also help sell your app to them ; )
I couldn't agree more. We have departments outside of IT that manage devices in segregated subnets. Having the ability to assign view/edit permissions to only the subnets and IPs that they are responsible for maintaining would keep our network engineers from using their valuable time assigning IPs in the database.
The Customers field already exists within the system. This field is already associated with subnets, devices, and assets. If we could assign permissions to the Customer field then we could see the type of granularity that Jose proposed.
Many upvotes. Such feature. WOW!
This is all set with recently released multi-tenancy feature: http://blog.device42.com/2015/12/announcing-multitenancy-with-v9-0-0/
Thanks & Regards,
Please sign in to leave a comment.