Skip to end of metadata
Go to start of metadata

Introduction

The Men & Mice Suite allows granular access control to objects. With version 6.7 of the M&M Suite beside Users and Groups also Roles can be configured.
An advantage of Roles is the ability to add groups to roles, which makes the user/group/role concept more flexible.


This article will provide some info on roles and a step by step list on how to setup a read only role for DNS/DHCP and IP address ranges.

Built-in roles

By default the M&M Suite has 5 roles built-in:

  1. Administrators (built-in)
  2. DNS Administrators (built-in)
  3. DHCP Administrators (built-in)
  4. IPAM Administrators (built-in)
  5. User Administrators (built-in)

All roles are Administrator roles (full access) and all objects like DNS server, DNS zone, IP address range/scope have these roles assigned by default.
The access settings for the built-in roles can't be modified.

If you would add a user or group for instance to the Administrators (built-in) role, the user or group members would get automatically administrative access to the objects in M&M. Excluded is the "License Management", which can only be accessed by the account with the name "administrator".

For details on the built-in roles please see the user manual section "AdministrationFunctions-Built-inRoles"

User defined roles

Beside the built-in roles M&M administrators have the option to create new roles. These user defined roles can then be used to specify
granular access on the objects in M&M. By adding group members to the role (e.g. M&M users or AD groups) -  the members get the role defined access granted.

Example read/only role setup and access configuration

As an example the following steps aim to illustrate how easy it is to setup a r/o role in M&M

  1. Login as "administrator" to the M&M Management Console

  2. Create the r/o role
    Click on Tools->User Management and then select the Roles tab.
    In the Roles tab press the Add button and specify the role name, e.g. ReadOnlyRole and confirm with OK

  3. Add a user account or an AD group to the ReadOnlyRole:
    In the Same dialog (Tools->User Management) you can configure Users or Groups that can then be assigned as role members.

    Example 1: Add an AD Group to the role
    If you want to add an AD group just click on the Groups tab.
    Press the Add button and specify the AD group (which must already exist in AD). The group name must be in the style:
    domain\groupname
    Then tick the checkbox ReadOnlyRole in the Roles section and
    mark also the checkbox "Active Diretory Integrated", which is located underneath the Roles section box.
    If you don't mark the checkbox for Active Directory integration the group would be created as M&M group
    (members of an AD group are automatically added to M&M when the AD group members login the first time to the M&M Suite).
    Finally confirm with OK.
    As mentioned it's not necessary to add single AD user accounts.

    Example 2: Add a M&M user account to the role
    In the User Management dialog click on the Users tab.
    Then press the Add button and specify the user name, e.g. readonlyuser
    and select for the Authentication "Men & Mice Internal"
    Then specify a password for the account.
    In the Roles section box tick the  checkbox for the ReadOnlyRole and confirm with OK

  4. Next, define how members of the role can access the M&M Suite. Please note that after step 4 the users still can not view or access objects in M&M (e.g. zones or ranges).
    Open the Tools->Global Access dialog
    Press the Add button and add the ReadOnlyRole
    Then specify the access bits as follows, i.e. set the Allow checkbox for the following entries:
    Access IPAM module
    Access DNS module
    Access DHCP module
    Access to Management Console
    Then confirm with OK.
    This means that members of the group can access the
    three modules and they are allowed to logon to the M&M Suite only by the Management Console.

    In the next steps the access to the objects, like servers, zones and subnets are configured.

  5. DNS server access config
    Right-click on the DNS server that hosts the zone you want to configure to be r/o accessible by the role members.
    Select Access and press the Add button and add the ReadOnlyRole to the list.
    Allow only the
    List (or view) DNS sever
    access bit and confirm with OK

  6. DNS zone access config
    Click on the DNS zone (or mark multiple) and select Access and add the ReadOnlyRole
    Give again only
    List (or view) zone
    rights and confirm with OK

  7. IP address range access config
    Click on IP Address Ranges and then click on the subnet/scope you want to allow to be visible to the members of the ReadOnlyRole.
    If you want to allow all subnets then you could click on the 0.0.0.0/0 or ::/0 base net and select Access.
    As before press the Add button and add the ReadOnlyRole to the object.
    Allow the "List (or view) range" access bit for the role and confirm the dialog with OK.
    If you clicked on the 0.0.0.0/0 or ::/0 you might want to configure inheritance by pressing the button "Apply access inheritance in child ranges" in the Access dialog.
    This would then configure all subnets of 0.0.0.0/0 or ::/0 to inherit the settings of the base network.

  8. If scopes were in the list of selected subnets in step 7 you want also to configure the access to the DHCP servers (otherwise
    the scopes would not show up for the role members).
    Please right-click on the DHCP server(s) and select Access and add the ReadOnlyRole and give the
    List (or view) DHCP server
    access bit and confirm with OK.

After the 7 or 8 steps the members of the group or the user are allowed to login by the Men & Mice Management console.
To grant read/write rights just create a new specific role and specify additional access bit on the objects,
e.g. additionally to the List (or view) access bit also give on zones "Edit other records" and on an IP address range "Use IP addresses in DNS".
This would then allow the role members to edit records in the zone which are not in the zones apex (have not the same name as the zone itself, like the SOA record or NS records) and
it would restrict A/AAAA records to the allowed subnets where the Use IP addresses in DNS is specified.

  • No labels