Per vlan / subnet permissions
tmh9
20-06-2011 08:16:51
Is there a way for a group to have read only access to every subnet / vlan, and Read/Write access to specific subnets / vlans? An example of why this would be useful is our network infrastructure group should be able to see all records for troubleshooting problems, but they also need read/write permissions to our management network for installing new switches. Our current home grown solution can do this, but we don't have any IPv6 support and we're reluctant to re-invent the wheel.
Matt
20-06-2011 22:19:43
There are some initial beginnings of doing that level of granularity. Currently however it does not exist enough to control things this way. Its certainly something I'd like to do but have not spent any time implementing. I'd certainly love to discuss some ideas on the subject.
right now we of course can do task level permissions, subnet add/delete/modify, host add/delete/modify etc. There are several possible ways to control the specific access to the data.. One way would be based on subnet masks and ranges.. this would then apply to the subnet and all hosts/interfaces there in. Another way could be name based for subnets/hosts/dns etc..
What do people think about this one? what would be the best approach.. what are some ways you've seen/or done this before?
right now we of course can do task level permissions, subnet add/delete/modify, host add/delete/modify etc. There are several possible ways to control the specific access to the data.. One way would be based on subnet masks and ranges.. this would then apply to the subnet and all hosts/interfaces there in. Another way could be name based for subnets/hosts/dns etc..
What do people think about this one? what would be the best approach.. what are some ways you've seen/or done this before?
druwoldt
16-08-2011 23:09:23
Dear Mat,
A few things.
1) Control access to manage subnet/vlan/block/campus
X should be able to be assigned
SchoolX 10.0.0.0 - 10.2.0.0
SchoolX - servers 10.0.2.0/23
etc
2) Control access to manage namesapce
So schoolX.edu.au can be managed by X,Y,Z but not by J who manages schoolY.edu.au
Also A should be able to manage edu.au and everything underneath it.
So if you can manage a level then you also get the namespace underneath that.
This would mean X could be given
schoolX.edu.au
10.0.0.0/21
Of course what would be nice is to be able to select VLAN/Subnet with check boxes based on current listings in ONA so no mistakes can be made.
So you should be able to assign a person to Subnet, VLAN or Block, VLAN Campus etc
Same for namepsace. Although you may not have a namespace for the subset you want to assign a person so may be a bit trickier.
Just some thoughts.
Yours sincerely
David Ruwoldt
A few things.
1) Control access to manage subnet/vlan/block/campus
X should be able to be assigned
SchoolX 10.0.0.0 - 10.2.0.0
SchoolX - servers 10.0.2.0/23
etc
2) Control access to manage namesapce
So schoolX.edu.au can be managed by X,Y,Z but not by J who manages schoolY.edu.au
Also A should be able to manage edu.au and everything underneath it.
So if you can manage a level then you also get the namespace underneath that.
This would mean X could be given
schoolX.edu.au
10.0.0.0/21
Of course what would be nice is to be able to select VLAN/Subnet with check boxes based on current listings in ONA so no mistakes can be made.
So you should be able to assign a person to Subnet, VLAN or Block, VLAN Campus etc
Same for namepsace. Although you may not have a namespace for the subset you want to assign a person so may be a bit trickier.
Just some thoughts.
Yours sincerely
David Ruwoldt