In larger organizations, it is very common for different people to have responsibilities to manage different blocks of subnet address spaces for their respective departments/divisions/regions. SolarWinds IPAM provides the ability for your IP Address Management tasks to be divided up amongst different people/groups, such as functional groups, geographic regions, virtual server teams, and critical staff.
Perhaps you want to allow your desktop team to have visibility of ip scopes for a particular office floor of vlan's, but without views secure into web infrastructure networks. Beginning with version 3.0, IPAM enables the definition of user access roles based on subnet, group or supernet basis.
Specify which users have what level of permissions (read/write) to certain address spaces (Group, Supernet, or Subnet). It is important to note that if subnets are moved that create hierarchy changes, the inherited roles will be inherited from the new parent.
Any existing customized roles will not be changed or inherited.
When deciding which roles will work best in your environment, determine what is the user really needs access to on a daily basis. The following IPAM user roles are available:
Read/write access and can initiate scans to all subnets, manage credentials, custom fields, and IPAM settings and full access to DHCP management & DNS monitoring.
Power Users can reorganize network components in the left pane of the Manage Subnets and IP Addresses view and full access to DHCP management & DNS monitoring. This role also includes the ability to edit properties and custom fields on portions of the network made available by the site administrator.
The Operator role has read-only access to DHCP Scope, Servers, Reservations, and DNS Servers, Zones, and Records.
These users can also add and delete IP address ranges from portions of the network made available by the site administrator. They can also change the subnet status selection on the Manage Subnets and IP Addresses page. Manage IP address property and custom fields, and edit IP address properties on portions of the network made available by the site administrator.
This role will have Read only access to to all subnets and DHCP Servers, Scopes, Leases, Reservations and DNS Servers, Zones, Records.
This role is defined on a per subnet basis. DHCP and DNS access will depend upon the Global account setting for those nodes.
In a nutshell - after selecting Custom, click Edit to define what the user can and cannot see.
Next you select the desired subnet and define which role this user will have.
Make note of the inherited column on the far right to determine the correct inheritance is being applied.
The following is a good example of the differences a user with a custom role can or cannot see.
If you are interested in detailed steps for setting up IPAM user delegation see this post.
Below is an overview of the all the role operations.The color coded legend is as follows:
The following table below details the various operations that each role can have.