6 Replies Latest reply on Nov 18, 2019 12:27 AM by thsukudu

    Solarwinds support couldn't help - Permissions to add a subnets to IPAM?

    thsukudu

      Hello,

      I am trying to add a large number of subnets to IPAM and allow my users to do it.

       

      Currently, the user has full ADMIN privileges to IPAM and the script does not work. BUT if I give them full admin permissions to solarwinds it works.

       

      NPM: 12.1

      IPAM: 4.5.1

      Powershell 5

       

      and will be months before we upgrade.

       

       

      Second question - how do I connect as another domain user using swispowershell? right now passing `-trusted` works but it would be nice to make it so my users admin credentials are the only ones with permissions.

       

      this code doesn't work :

       

      #username is 'domain\user' format

      $cred=get-credential

      connect-swis -hostname $solarwinds -username $cred.getnetworkcredential().username -password $cred.getnetworkcredential.password

        • Re: Solarwinds support couldn't help - Permissions to add a subnets to IPAM?
          dan jagnow

          The first problem is a little bit tricky.  If you want to allow your users to do something that their current Orion permissions wouldn't allow them to do, you have a couple of options.  The simplest thing would be to give the users additional permissions.  Do note that IPAM permissions can be set without granting global administrator rights.  If that works for you, that could be the best approach.

          Alternatively, you could do something like setting up a web page that your users would access to add subnets to IPAM.  The backend of that page could call the Orion API with more-privileged credentials.  But that is a complicated approach that relies on you being able to stand up a website, perform your own authentication and authorization, and securely store the Orion credentials.  If you already have an intranet site that you could add this feature to, this might make sense.

           

          As a final alternative, you could submit a feature request that specifies more precisely exactly how you would like Orion to behave to meet your needs.

           

          For the second question, there are details about how to pass credentials when connecting to SWIS here:

           

          https://github.com/solarwinds/OrionSDK/wiki/Connecting-to-SWIS

           

          In particular, note that you can use the -Credential parameter to pass those credentials in directly instead of trying to extract the username and password from them.  I think you'll have better luck with that approach.

           

          $host = 'myorion.mydomain.local'

          $creds = Get-Credential  # display a window asking for credentials

          $swis = Connect-Swis -Hostname $host -Credential $creds

            • Re: Solarwinds support couldn't help - Permissions to add a subnets to IPAM?
              thsukudu

              >  If you want to allow your users to do something that their current Orion permissions wouldn't allow them to do, you have a couple of options.  The simplest thing would be to give the users additional permissions

               

              In your screen shot they are 'administrators' under IP ADDRESS MANAGER SETTINGS .

               

              The cannot add subnets via my script. if I make them global solarwinds administrators they can.

               

              How do I go about troubleshooting why they cannot? If they open the web GUI they can add / delete / modify subnets. but from the script they cannot.

                • Re: Solarwinds support couldn't help - Permissions to add a subnets to IPAM?
                  dan jagnow

                  It's possible that this is a bug that has been addressed in some release after IPAM 4.5.1.  I'm testing with IPAM 2019.4.  I created a new account and did not grant any global administrator rights:

                   

                   

                  I left all the defaults for this account except in the IPAM settings, where I made the user an IPAM admin:

                   

                   

                  Then I ran a very simple PowerShell script based on the documentation for the CreateSubnet verb on IPAM.SubnetManagement at https://github.com/solarwinds/OrionSDK/wiki/IPAM-4.7-API :

                   

                  Import-Module SwisPowerShell

                   

                  # Connect to SWIS

                  $hostname = "myorion.mydomain.local"

                  $username = "CaptainIPAM"

                  $password = "notARealPassword"

                  $swis = Connect-Swis -host $hostname -Username $Username -Password $Password

                   

                  Invoke-SwisVerb $swis IPAM.SubnetManagement CreateSubnet @("10.10.1.0", "21")

                   

                  The script executes successfully...

                   

                  PS C:\Users\dan.jagnow> c:\Users\dan.jagnow\LongPathHere\IPAMCreateSubnet.ps1

                   

                  nil  xmlns                                                                          d1p1                                          i

                  ---  -----                                                                          ----                                          -

                  true http://schemas.datacontract.org/2004/07/SolarWinds.InformationService.Contract http://schemas.datacontract.org/2004/07/System http://www.w3.org/2001/XMLSchema-instance

                   

                  PS C:\Users\dan.jagnow>

                   

                  ... and I see the subnet created:

                   

                   

                  If this looks similar to the steps you followed, then it's possible that upgrading to the latest IPAM is your best solution.

                    • Re: Solarwinds support couldn't help - Permissions to add a subnets to IPAM?
                      thsukudu

                      just for the sake of completion, can you run using the CRUD operations ---

                       

                       

                      new-swisobject -swis $swis -entitytype 'IPAM.Subnet' -properties @{Address='10.10.10.0'; CIDR=24; Comments="test"; DisableNeighborScanning=$true}

                       

                       

                      We are looking to upgrading the solarwinds suite however we need to upgrade to windows 2016 infrastructure  first which is months away.

                        • Re: Solarwinds support couldn't help - Permissions to add a subnets to IPAM?
                          dan jagnow

                          I replaced the final line in my PowerShell script with the line you proposed, ran it with an account with only IPAM access, and got this:

                           

                          new-swisobject : Access to IPAM.Subnet denied.

                          At C:\Users\dan.jagnow\LongPathHere\IPAMCreateSubnetCrud.ps1:12 char:1

                          + new-swisobject -swis $swis -entitytype 'IPAM.Subnet' -properties @{Ad ...

                          + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

                              + CategoryInfo          : InvalidOperation: (:) [New-SwisObject], FaultException`1

                              + FullyQualifiedErrorId : SwisError,SwisPowerShell.NewSwisObject

                           

                          Then I ran the same code after switching to a global admin account, and it succeeded:

                           

                          swis://myorion.mydomain.local/Orion/IPAM.Subnet/SubnetId=101,ParentId=0

                            • Re: Solarwinds support couldn't help - Permissions to add a subnets to IPAM?
                              thsukudu

                              well, that pretty much proves that it's an API issue and it seems like my best option is to upgrade. But that is months away from now and this project will be over already.

                               

                              Also, looks like the update function of the CRUD doesn't actually work either.

                               

                              I think what I'm going to end up doing is making a powershell script that calls a server based script for the actual update with local accounts.

                               

                              However, this leaves me with a password file on the server which i'm not a fan of.