permissions - how to

[ariel256]

Hi,

apologies if this is a basic question, but i am a newbie, and i dont understand from the official docs or from other discussions, how to implement the following:

setup a group&user that will be able to view ALL netbox objects + will have create, edit and delete permissions for: devices, Virtual Chassis, interfaces, racks, Tenants, contacts, Connections, IP Addresses, only for specific Site.

i.e. when a user in this group create a new device or contact or rack for example, it will be created only under specific Site. but the user can see ALL netbox sites objects. including devices that belong to other sites, etc.

the user can not create/edit/delete any object under: Device type, manufacture, VLAN, IP ranges, not even on the specific Site above.

[zmaster7]

Someone can correct me if I'm wrong on this, but I believe it would not be 100% possible to accomplish everything listed with a single user/group, as having read only access to all sites would allow the creation of a new device, etc. under any site. You would have to limit their view access to that single site to be able to restrict them correctly when creating new objects. With that said, if they are limited to viewing a single site, they can still view all other objects (without constraints configured), even if the site view is restricted.

Additionally, some of those models are not tied to a site so they would not be able to be restricted that way unless you got creative with custom fields pointing to that site. For example, Contact/Contact Groups and Tenant/Tenant Groups are not associated with a site.

For a rough example of how you would accomplish this, you would create a new "can view" permission with only the Site model selected and add the associated groups/users. Under constraints, use: { "slug": "restricted-site-name" }. Then, create a new permission and select all models you want view only permissions on within a single permission (excluding Site) and apply the "can view" permission, along with the associated groups/users. Lastly, you would need to create multiple permissions for the "can add, modify, etc" based on how those models are related to Site. For example, Racks and Devices are all tied directly to site, so you can select both of those models in the same permission and then use the constraint: { "site__slug": "restricted-site-name" }. For other models you will have to traverse multiple relationships to get to "site," if that makes sense (e.g. IP address to interface to device/VM to site).

It certainly is complicated, but that is a drawback of having such granular permissions. There may be a better way that I am missing however.