Role based access example
Micetro allows granular access control to objects. Starting with version 6.7 of Micetro/Men&Mice Suite beside Users and Groups also Roles can be configured.
An advantage of Roles is the ability to add groups to roles, which makes the user/group/role concept more flexible. This article will provide some info on roles and a step by step list on how to setup a read only role for DNS/DHCP and IP address ranges.
By default Micetro has 5 roles built-in:
DNS Administrators (built-in)
DHCP Administrators (built-in)
IPAM Administrators (built-in)
User Administrators (built-in)
All roles are Administrator roles (full access) and all objects like DNS server, DNS zone, IP address range/scope have these roles assigned by default.
The access settings for the built-in roles can’t be modified.
If you would add a user or group for instance to the Administrators (built-in) role, the user or group members would get automatically administrative access to the objects in Micetro. Excluded is the “License Management”, which can only be accessed by the account with the name “administrator”.
For details on the built-in roles please see Access control.
User defined roles
Beside the built-in roles Micetro administrators have the option to create new roles. These user defined roles can then be used to specify granular access on the objects in Micetro. By adding group members to the role (e.g. Micetro users or AD groups) - the members get the role defined access granted.
Example read/only role setup and access configuration
As an example the following steps aim to illustrate how easy it is to setup a r/o role in Micetro
Login as “administrator” to the Management Console.
Navigate toand select the Roles tab.
Press the Add button and specify the role name, e.g.
ReadOnlyRoleand confirm with OK.
Add a user account or an AD group to the *ReadOnlyRole*:
In the same dialog () you can configure Users or Groups that can then be assigned as role members.
Example 1: Add an AD Group to the role
If you want to add an AD group just click on the Groups tab.
Press the Add button and specify the AD group (which must already exist in AD). The group name must be in the style:
Then tick the checkbox ReadOnlyRole in the Roles section and mark also the checkbox Active Diretory Integrated which is located underneath the Roles section box.
Confirm with OK. As mentioned it’s not necessary to add single AD user accounts.
Example 2: Add a Micetro user account to the role
In the User Management dialog click on the Users tab.
Press the Add button and specify the user name, e.g.
readonlyuserand select for the Authentication “Men&Mice Internal”.
Specify a password for the account.
In the Roles section box tick the checkbox for the ReadOnlyRole and confirm with OK.
Next, define how members of the role can access Micetro.
After step 4 the users still can not view or access objects in Micetro (e.g. zones or ranges).
Press the Add button and add the
Specify the access bits (i.e. set the Allow checkbox) for the following entries:
Access IPAM module Access DNS module Access DHCP module Access to Management Console
Confirm with OK.
This means that members of the group can access the three modules and they are allowed to log in to Micetro only by the Management Console.
In the next steps the access to the objects, like servers, zones and subnets are configured.
- DNS server access config
Right-click on the DNS server that hosts the zone you want to configure to be r/o accessible by the role members.
Select Access and press the Add button and add the ReadOnlyRole to the list.
Allow only the
List (or view) DNS serveraccess bit and confirm with OK.
- DNS zone access config
Click on the DNS zone (or mark multiple) and select Access and add the ReadOnlyRole.
Give again only
List (or view) zonerights and confirm with OK.
- IP address range access config
Click on IP Address Ranges and then click on the subnet/scope you want to allow to be visible to the members of the ReadOnlyRole. If you want to allow all subnets then you could click on the 0.0.0.0/0 or ::/0 base net and select Access.
As before press the Add button and add the ReadOnlyRole to the object.
List (or view) rangeaccess bit for the role and confirm the dialog with OK. If you clicked on the 0.0.0.0/0 or ::/0 you might want to configure inheritance by pressing the button Apply access inheritance in child ranges` in the Access dialog. This would then configure all subnets of 0.0.0.0/0 or ::/0 to inherit the settings of the base network.
If scopes were in the list of selected subnets you want also to configure the access to the DHCP servers (otherwise the scopes would not show up for the role members).
Please right-click on the DHCP server(s) and select Access and add the ReadOnlyRole and give the
List (or view) DHCP serveraccess bit and confirm with OK.
After these steps the members of the group or the user are allowed to login by the Men&Mice Management console.
To grant read/write rights just create a new specific role and specify additional access bit on the objects, e.g. additionally to the List (or view) access bit also give on zones “Edit other records” and on an IP address range “Use IP addresses in DNS”. This would then allow the role members to edit records in the zone which are not in the zones apex (have not the same name as the zone itself, like the SOA record or NS records) and it would restrict A/AAAA records to the allowed subnets where the Use IP addresses in DNS is specified.