In my previous blog, I discussed the difficulties of manual IP address management (IPAM). Manual management can result in poor visibility, inefficient operations, compromised security, and the inability to meet audit requirements for compliance. Many of the comments on the blog swayed towards shifting/using an automated solution. Here are 4 basic best practices for role delegation as an essential criteria for efficient IPAM.
Effective distribution of responsibility across, and within teams: Access control is an important consideration when multiple users have access to the IPAM system.
As IP administration operations touch several teams, it is recommended to:
- Distribute tasks based on responsibilities and expertise of teams and individuals.
- Securely delegate IP management tasks to different administrators without affecting current management practices.
- Avoid bottlenecks, inefficiencies and errors while configuring different systems, accessing an available IP, or while making DHCP/DNS changes.
For example, the server team can delegate management of DNS/DHCP and IPAM functions to the network team while keeping control of the rest of the Windows server functionality. Network teams in turn can divide responsibilities based on the location or expertise within the group and delegate even simpler tasks, like new IP address assignments to the IT Helpdesk.
Different admins have unique role-based control: Role-based control helps ensure secure delegation of management tasks. Various role definitions permit different levels of access restrictions and also help track changes. This way you can maintain security without limiting the ability to delegate required IP management activities. Some examples of role-based control are:
- Administrator role or the Super User - full read/write access, initiate scans to all subnets, manage credentials for other roles, create custom fields, and full access to DHCP management and DNS monitoring.
- Power Users - varied permissions/access rights restricted to managing subnets and IP addresses only, management of supernet and group properties, and creation of custom data fields on portions of the network made available by the site administrator.
- Operator - access to the addition/deletion of IP address ranges and the ability to edit subnet status and IP address properties on the allowed portions of the network.
- Read Only Users - have only read access to DHCP servers, scopes, leases, reservations, and DNS servers, zones, records.
- Custom access - where the role is defined on a per subnet basis. DHCP and DNS access depends on the Global Account setting.
- Hide - Restrict all access to DHCP & DNS management.
Ultimately, control lies with the super user who can assign roles as per the needs and requirements of the network or organization.
Administering and inheriting rights: Setup and assignment of roles need to be easy and less time consuming. The effectiveness of an IPAM lies in the ease of management of the system itself. Many automated IPAM solutions are integrated with Windows Active Directory (commonly used in networks) making it easier to create and assign user roles for IPAM. Built-in role definitions help quickly assign and delegate IPAM tasks to different users.
Change approval or auditing: Compliance standards require that all changes made to the IP address pool be recorded and change history for IP addresses be maintained. Any change in the IP management structure of IP address, DHCP & DNS management must be logged separately, and maintained centrally.
A permissioned access system ensures that only approved/authorized personnel are allowed to make changes to IP address assignments. Ideally, an IP management system should allow administrative access to be delegated by subnet.
Maintaining a log for changes helps avoid errors and also simplifies the process of troubleshooting and rollback of unintended administrative changes. Automated IPAM solutions enable auditing by recording every change in the database along with the user name, date, time of modification, and details of the change. The audit details are published as reports and can be exported, emailed or retrieved as required for further analysis. Some examples of these reports are: Unused IP Addresses, Reserved-Static IP Addresses, IP Usage Summary, etc.
In conclusion, it’s quite clear that manual managing IP addresses can be a resource drain. On the other hand, investing in a good IPAM solution provides you with effective IPAM options. More importantly, tangible business benefits, including a compelling return on investment.
Do you agree that role delegation does help ease some load off the network administrator’s back?