cancel
Showing results for 
Search instead for 
Did you mean: 

Need for Role Delegation in IP Administration – Part2

Level 12

In my previous blog, I discussed the difficulties of manual IP address management (IPAM). Manual management can result in poor visibility, inefficient operations, compromised security, and the inability to meet audit requirements for compliance. Many of the comments on the blog swayed towards shifting/using an automated solution. Here are 4 basic best practices for role delegation as an essential criteria for efficient IPAM.

Effective distribution of responsibility across, and within teams: Access control is an important consideration when multiple users have access to the IPAM system.

As IP administration operations touch several teams, it is recommended to:

  • Distribute tasks based on responsibilities and expertise of teams and individuals.
  • Securely delegate IP management tasks to different administrators without affecting current management practices.
  • Avoid bottlenecks, inefficiencies and errors while configuring different systems, accessing an available IP, or while making DHCP/DNS changes.

For example, the server team can delegate management of DNS/DHCP and IPAM functions to the network team while keeping control of the rest of the Windows server functionality. Network teams in turn can divide responsibilities based on the location or expertise within the group and delegate even simpler tasks, like new IP address assignments to the IT Helpdesk.


Different admins have unique role-based control: Role-based control helps ensure secure delegation of management tasks. Various role definitions permit different levels of access restrictions and also help track changes. This way you can maintain security without limiting the ability to delegate required IP management activities. Some examples of role-based control are:

  1. Administrator role or the Super User - full read/write access, initiate scans to all subnets, manage credentials for other roles, create custom fields, and full access to DHCP management and DNS monitoring.
  2. Power Users - varied permissions/access rights restricted to managing subnets and IP addresses only, management of supernet and group properties, and creation of custom data fields on portions of the network made available by the site administrator.
  3. Operator - access to the addition/deletion of IP address ranges and the ability to edit subnet status and IP address properties on the allowed portions of the network.
  4. Read Only Users - have only read access to DHCP servers, scopes, leases, reservations, and DNS servers, zones, records.
  5. Custom access - where the role is defined on a per subnet basis. DHCP and DNS access depends on the Global Account setting.
  6. Hide - Restrict all access to DHCP & DNS management.

Ultimately, control lies with the super user who can assign roles as per the needs and requirements of the network or organization.


Administering and inheriting rights: Setup and assignment of roles need to be easy and less time consuming. The effectiveness of an IPAM lies in the ease of management of the system itself. Many automated IPAM solutions are integrated with Windows Active Directory (commonly used in networks) making it easier to create and assign user roles for IPAM. Built-in role definitions help quickly assign and delegate IPAM tasks to different users.


Change approval or auditing: Compliance standards require that all changes made to the IP address pool be recorded and change history for IP addresses be maintained. Any change in the IP management structure of IP address, DHCP & DNS management must be logged separately, and maintained centrally.

A permissioned access system ensures that only approved/authorized personnel are allowed to make changes to IP address assignments. Ideally, an IP management system should allow administrative access to be delegated by subnet.

Maintaining a log for changes helps avoid errors and also simplifies the process of troubleshooting and rollback of unintended administrative changes. Automated IPAM solutions enable auditing by recording every change in the database along with the user name, date, time of modification, and details of the change. The audit details are published as reports and can be exported, emailed or retrieved as required for further analysis. Some examples of these reports are: Unused IP Addresses, Reserved-Static IP Addresses, IP Usage Summary, etc.


Conclusion

In conclusion, it’s quite clear that manual managing IP addresses can be a resource drain. On the other hand, investing in a good IPAM solution provides you with effective IPAM options. More importantly, tangible business benefits, including a compelling return on investment.


Do you agree that role delegation does help ease some load off the network administrator’s back?

9 Comments
mr.e
Level 14

I definitely concur that role delegation is a must for IPAM admin tasks -- unless the network is extremely small.  I just do not have enough cycles (or energy) to keep up with that as well as my other tasks and projects.

As a matter of fact, we are in the process of cleaning up our own delegation processes and protocols for IPAM. 

Jfrazier
Level 18

It follows many of the other aspects of IT..there must be separation of duties so that things are handled appropriately and we don't have the too many fingers in the pie syndrome causing others to step on each other.

jkump
Level 15

The delegation of IPAM tasks is essential for moving the IT department forward.  I am looking at something similar in a role-based, group-based documentation and password management solution.  These same characteristics can be applied to IPAM as well.  The listing that you have in your post is beneficial and I am bookmarking this post to pass along to my team.

mr.e
Level 14

Some lessons learned from our own mistakes about IPAM rights and user accounts..

  1. Develop the strategy for proper role assignments ahead.  Don't wait until you have already granted rights, especially if you have given Power User and/of Full Admin rights in IPAM.  Once the users are given those rights, it is very hard to take it back and may spur some -- deserved -- resentment towards you and your team -.  This, of course, mostly applies to those users whose IPAM rights may need to be restricted after the fact. 
  2. When in doubt, err towards granting lesser rights.  You can always increase the rights, if it is merited -- and you'll look like a hero, which is always good. 
  3. Establish a pattern by which the person's manager decides who in his team needs specific rights.  That way, the user cannot complain to you for giving him/her too few rights.  And, this increases the accountability, both for the person's manager, the user and -- of course -- yourself.
  4. If possible, try to use Domain Groups for granting rights within Orion instead creating individual accounts for each user.  The benefit here is that you have less administration overhead whenever the person moves to a different team or leaves the firm.  Of course, you can also have some users having their individual AD accounts added to Orion but that should be the exception, not the rule.
  5. Using a SQL script, create a report of all your Orion AD user accounts and AD user groups with their respective rights.  This will help you figure out whose got which rights. This may also come handy if some users are mistakenly removed or modified.  You can use your SQL report to figure out what needs to be corrected.
  6. If possible, have a backup person who can also add users to Orion.  This will come very handy, especially when you're away or sick.  Else, you may have put yourself in the unpleasant position of being on call.

Maybe there are more mistakes, but that's as far as I'll take it for now. I hope y'all find these suggestions helpful. 

mr.e
Level 14

neetha.edwin

I just realized that I strayed a bit off the intended topic of your post.  Sorry!!! 

superfly99
Level 17

Totally agree. If everyone had full access, it could lead to many issues. This goes without saying.

neetha.edwin
Level 12

No worries! This is helpful too

neetha.edwin
Level 12

Separation of duties, yes! What kind of delegation of duties for IP address management have you come across in your network? Just curious cos this would differ from organization to organization and also networks.

jkump
Level 15

I was thinking about the admin levels.  What is the minimum number of levels that would be beneficial in an IPAM solution?  I mean to say is 2 enough (Admin, User); 3 (Admin, Manager, User); 4 (Admin, Manager, User, View). 

I was thinking that maybe 3 would be the sufficient minimum?  Admin is the Application Admin.  Manager is the able to do everything but manipulate users.  User would be read-only, view only that is able to see what is going on but make no changes.