Access control

The Micetro access model is object-based. This is similar to mainstream operating system access models such as the Windows Security model, where you choose an object and set access restrictions for particular Users, Groups or Roles for the chosen object. We define a set of object types, and a set of Access Flags for each object type. These flags can then be set to Allow or Deny for each User, Group or Role.

The relationship between Groups, Users and Roles is as follows:

  • Groups can contain Users

  • Groups cannot contain Groups

  • Users can be a member of any number of Groups

  • Users and Groups can be assigned to Roles.

Built-in Roles

Note

Please note that in previous versions (< 6.7) roles did not exist and the built-in roles described below were previously built-in groups. All of the users that were members in specific built-in groups are now assigned to the corresponding built-in roles.

Five Roles are built-in to Micetro. These roles are special in that they get full access for their respective domains for all Access Flags.

When new objects are created, the Built-in Role that presides over that object, as well as the user or group that created the object, receives full access to it.

Each administrator role also receives default access to its corresponding module (including an Access Flag set on Micetro object allowing them administrator privileges for their domain). The Administrators role receives default access to all the Access Flags on Micetro object. Default access for each Built-in role is as follows:

  • Administrators. Full access to all objects

  • DNS Administrators. Full access to DNS objects, including zones, DNS servers, etc.

  • DHCP Administrators. Full access to DHCP objects, including scopes, DHCP servers, etc.

  • IPAM Administrators. Full access to IPAM objects, including IPAM ranges, etc.

  • User Administrators. Full access to User and Group objects.

It is recommended that our clients use these Roles. These roles are the only roles that can receive default access to new items. User-defined Roles do not receive any access information for new objects and are considered to have “denied” access. To allow a User or a Group to receive default full access to a new object, include the User or Group as a member in the corresponding Built-in Role. If you need to reduce this particular User’s access, refer to access-overrde section below.

When it’s mentioned that a User or Group has Full access to an object we mean that the User or Group has all known Access Flags for the object set to Allow.

The Administrator User

A single user is Built-in to Micetro. The Administrator User exists completely outside of the access model. This User can do everything, and it is not possible to deny any action to this User.

Examples:

The Micetro object will have the following access bits set to Allow for the DNS Administrators Role:

Access Flags

Allow

Deny

Administer DNS servers

1

0

Access DNS Module

1

0

For every DNS server created, the server will have the following flags set to Allow for the DNS Administrators Role:

Access Flags

Allow

Deny

Edit DNS Server access

1

0

List (or view) DNS Server

1

0

Edit DNS Server options

1

0

Add Master Zones

1

0

Add non-Master Zones

1

0

View DNS Server Log

1

0

Clear DNS Server Log

1

0

Edit DNS server properties

1

0

For every DNS Zone created, the zone will have these flags set to Allow for the DNS Administrators Role:

Access Flags

Allow

Deny

Edit Zone access

1

0

List (or view) Zone

1

0

Enable/disable Zone

1

0

Edit Zone options

1

0

Delete Zone

1

0

Enable/disable apex records

1

0

Edit apex records

1

0

Enable/disable wildcard records

1

0

Edit wildcard records

1

0

Enable/disable other records

1

0

Edit other records

1

0

Edit zone properties

1

0

Overriding Access Settings

The Deny setting for an Access Flag allows you to override access settings inherited from Roles. A User’s Access Footprint is calculated from the aggregate access settings of all Roles in which he is a member. In this calculation, the Deny flag overrides the Allow flag. This means that if a User is in several Roles where a specific Access Flag is set to Allow, and only a single Role where the same Access Flag is set to Deny, the result of the calculation for that Access Flag is Deny.

Let us take an example. Assume you want to add a new user that has DNS Administrator privileges to all servers and zones, but on a particular zone, this user should not be able to view or clear the history, nor should he be able to edit custom properties. To accomplish this, you would first include the new user in the Built-in Role named DNS Administrators.

To restrict the user for a particular zone you would locate the zone and set access for your new user to the following:

Access Flags

Allow

Deny

Edit Zone access

1

0

List (or view) Zone

1

0

Enable/disable Zone

1

0

Edit Zone options

1

0

Delete Zone

1

0

Enable/disable apex records

1

0

Edit apex records

1

0

Enable/disable wildcard records

1

0

Edit wildcard records

1

0

Enable/disable other records

1

0

Edit other records

1

0

Edit zone properties

0

1

If you wanted to give similar access to other users, you could instead create a new Role, add the Users to the Role, and apply the aforementioned access to the zone in question for the new Role.

This system allows for a great deal of flexibility when designing your security. Any Role can be extended or overridden for a set of Users by simply adding the Users to another Role with a different access setup, or by directly overriding certain Access Flags on the Users themselves.

If no access is defined for a User or Role on a particular object, the access model assumes that all the Flags are set to Deny.

New Objects

When a User creates a new object in Micetro, the object is afforded a certain default access based on the initial access settings for the object type. To define initial access settings for different object types, do the following:

  1. From the menu bar, select Tools ‣ Initial Access For.

  2. Select the object type for which you want to set the initial access. The Access Control dialog box displays.

  3. Set the desired access for new objects and click OK.

Edit Access Flag

Each object type has an Access Flag named Edit Access. This flag is special in that it directs a User, Group’s or Role’s access to the object’s access information. In other words, if a User has this flag set on an object, he may edit the Access Flags for the object. This means that the User could remove a different User or Group from the object completely. He could even remove the User that created the object. In light of this, the Edit Access flag should be treated with care.

Access for Built-in groups is impossible to change. However, it would be possible to shut out all Users in Micetro from a certain object by simply editing access for each User directly. You could even shut yourself out. The Administrator User will always have full access to every object, so if such situations arise, the Administrator User should be used to set things straight.

Access Flags Defined

Each object type in Micetro has a set of Access Flags defined.

Global Access

This is an object referring to Micetro as a whole. It contains flags that define access to the different clients and modules available in Micetro, as well as Administration tasks.

Object

Description

Administer users/groups

Access to create, edit, and delete users and groups

Administer IP Address Ranges

Access to admin IPAM ranges

Administer DNS servers

Access to create, edit, and delete DNS servers

Administer DHCP servers

Access to create, edit, and delete DHCP servers

Access IPAM Module

Access to the IPAM Module

Access DNS Module

Access to the DNS Module

Access DHCP Module

Access to the DHCP Module

Access Management Console

Access to the Management Console

Access CLI

Access to the CLI

Access to Web Interface

Access to the Men&Mice Web Interface

Access to basic zone view in Web Interface

Access to the basic zone view in the Men&Mice Web Interface

Access to advanced zone view in Web Interface

Access to the advanced zone view in the Men&Mice Web Interface

Access to IPAM view in Web Interface

Access to the IPAM view in the Men&Mice Web Interface

Access to report view in Web interface

Access to the report view in the Men&Mice Web Interface

Access to task list view in Web interface

Access to the task list view in the Men&Mice Web Interface

Access to view history

Access to history window in the Management Console. Also provides access to the history for all objects.

Access to Host editor

Access to the host editor view in the Men&Mice Web interface

Access to manage AD Sites and Site Links

Access to work with AD Sites and Site Links.

Access to manage clouds

Access to add/remove cloud providers into Men&Mice

Access Workflow module

If customer has workflow license, grants user access to submit DNS record requests, and approvers to view and approve submitted requests

Access to advanced reporting

If customer has reporting license, grants access to advanced reporting features

Access to ‘Import Data’ web task

Access the Import Data task in Web Interface as well as to Import data into the newer Men&Mice Web Application

DNS Zone

Object

Description

Edit Zone access

Access to edit an object’s access

List (or view) Zone

Access to list (view) a zone

View zone history

Access to viewing the history for the zone

Enable/disable Zone

Access to enable/disable the zone

Edit Zone options

Access to edit zone options

Delete Zone

Access to delete zone

Enable/disable apex records

Access to enable/disable zone’s APEX records

Edit apex records

Access to edit zone’s APEX records

Enable/disable wildcard records

Access to enable/disable zone’s wildcard records

Edit wildcard records

Access to edit zone’s wildcard records

Enable/disable other records

Access to enable/disable zone records other than APEX

Edit other records

Access to edit zone records other than APEX records

Edit zone properties

Access to edit properties for the zone

DHCP Scopes and IP Address Ranges

Object

Description

Edit range Access

Access to edit an object’s access

List (or view) a range

Access to list (view) a range/scope

View range history

Access to viewing the history for the range/scope

Delete range

Access to delete a range/scope

Edit range properties

Access to edit range/scope properties

Edit IP Address properties

Access to edit the properties for an IP Address in the range/scope

Use IP Address in DNS

Access to create a DNS entry for the selected IP Address

Create a subrange

Access to create a new subrange of the range/scope

Create multiple hosts per IP Address

Access to create multiple address records with the same IP Address

Ping IP Address

Access to perform a ping request for hosts in the range/scope

Edit AD site association

Allows editing of associations for AD sites

Enable/disable scope

Access to enable/disable scope

Read scope options

Access to read scope options

Read/write Scope options

Access to read and write scope options

Edit Reservations

Access to edit reservations”

Edit address pools

Access to edit address pools

Edit exclusions

Access to edit exclusions

Release Leases

Access to release leases

Add a group

Access to add a DHCP group (ISC DHCP only)

DNS Server

Object

Description

Edit DNS Server access

Access to edit an object’s access

List (or view) DNS Server

Access to list (or view) server

View DNS server history

Access to viewing the history for the DNS server

Edit DNS Server options

Access to server options

Add Master Zones

Access to add a master zone

Add non-Master Zones

Access to add a non-master zone

View DNS Server Log

Access to view the server log

Clear DNS Server Log

Access to clear the server log

Edit DNS server properties

Access to edit properties for the DNS Server

DHCP Server

Object

Description

Edit DHCP Server Access

Access to edit an object’s access

List (or view) DHCP Server

Access to list (or view) server

View DHCP server history

Access to viewing the history for the DHCP server

Read DHCP Server options

Access to view server options

Read/write DHCP Server options

Access to read and write server options

Add a scope

Access to add a DHCP scope

Edit DHCP server properties

Access to edit properties for the DHCP Server

Edit reservations

Access to edit reservations in DHCP scopes

Add a group

Access to add DHCP groups (ISC DHCP only)

Read DHCP class data

Access to view DHCP class data on an (ISC DHCP only)

Read/write DHCP class data

Access to read and write DHCP class data (ISC DHCP only)

DHCP Groups

Object

Description

Edit DHCP group

Access to edit an object’s access

List (or view) DHCP group

Access to list (or view) DHCP group

View DHCP group history

Access to viewing the history for the DHCP group

Edit Reservations

Access to edit reservations

Read DHCP group options

Access to view group options

Read/write DHCP group options

Access to read and write group options

Delete DHCP group

Access to delete a DHCP group

Address Spaces

Object

Description

Edit address space access

Access to edit an object’s access

List (or view) address space

Access to list (or view) address space

View address space history

Access to viewing the history for the address space

Access Control Dialog Box

Through the Access Control module, you select groups/users for which you want to manage permissions.

The Access Control dialog box is used to define access to individual objects in the system. To define access for an object, right-click the object and choose Access from the popup menu.

To define access for individual components of Micetro, select Tools ‣ Global Access. The Access Control for Micetro dialog box displays. The default groups/user names are shown. The permissions for any selected group/user are also shown.

Edit access controls

  1. While viewing the Access Control dialog box, click the Add button. The Select user, group or role dialog box displays.

../../../_images/admin-permissions-select-user.png
  1. Highlight the user, group and/or role for which you want to assign permissions.

  2. Click the Select button.

  3. When you return to the main dialog box, the user/group is highlighted in the list of users and groups.

../../../_images/admin-access-controls-console.png
  1. To specify the permissions for this selected group/user/role, do the following:

  • Move to the Permission for [group/user/role selected] list.

  • Click in the checkbox for each permission you want to Allow or Deny.

Note

It is not necessary to select Deny unless you want to ensure that a user/group/role does not have permission to a specific object. However, if you do not specify the permission for an individual user, but the group(s) or role(s) to which the user belong does Allow access to that object, the user (by default) also has access.

  1. When all selections are made, click OK. The dialog box closes.

  2. Repeat the above for any additional groups/users.

Initial Access For

Through this function, you specify access privileges that should be set for objects when they are created. This function is identical to the Access Model and Permissions function except that a new user type – “Creator” (Meta user) - is used to specify the access privileges that should be set for the object creator.

Note

The access control dialog box for IP Address Ranges and Scopes contains a checkbox, ‘IP Address Ranges/Scopes inherit access by default’. If this checkbox is checked, a new range or scope will inherit all access bits from its parent. For more information on inherited access, refer to IP Address Management—Range Access.

From the menu bar, select Tools ‣ Initial Access For, and then the object type for which you want to set the initial access. The Access Control dialog box displays. Refer to Global Access for details on working with this dialog box.