cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 9

Solarwinds support couldn't help - Permissions to add a subnets to IPAM?

Hello,

I am trying to add a large number of subnets to IPAM and allow my users to do it.

Currently, the user has full ADMIN privileges to IPAM and the script does not work. BUT if I give them full admin permissions to solarwinds it works.

NPM: 12.1

IPAM: 4.5.1

Powershell 5

and will be months before we upgrade.

Second question - how do I connect as another domain user using swispowershell? right now passing `-trusted` works but it would be nice to make it so my users admin credentials are the only ones with permissions.

this code doesn't work :

#username is 'domain\user' format

$cred=get-credential

connect-swis -hostname $solarwinds -username $cred.getnetworkcredential().username -password $cred.getnetworkcredential.password

0 Kudos
6 Replies
Level 13

The first problem is a little bit tricky.  If you want to allow your users to do something that their current Orion permissions wouldn't allow them to do, you have a couple of options.  The simplest thing would be to give the users additional permissions.  Do note that IPAM permissions can be set without granting global administrator rights.  If that works for you, that could be the best approach.

pastedImage_2.png

Alternatively, you could do something like setting up a web page that your users would access to add subnets to IPAM.  The backend of that page could call the Orion API with more-privileged credentials.  But that is a complicated approach that relies on you being able to stand up a website, perform your own authentication and authorization, and securely store the Orion credentials.  If you already have an intranet site that you could add this feature to, this might make sense.

As a final alternative, you could submit a feature request that specifies more precisely exactly how you would like Orion to behave to meet your needs.

For the second question, there are details about how to pass credentials when connecting to SWIS here:

https://github.com/solarwinds/OrionSDK/wiki/Connecting-to-SWIS

In particular, note that you can use the -Credential parameter to pass those credentials in directly instead of trying to extract the username and password from them.  I think you'll have better luck with that approach.

$host = 'myorion.mydomain.local'

$creds = Get-Credential  # display a window asking for credentials

$swis = Connect-Swis -Hostname $host -Credential $creds

>  If you want to allow your users to do something that their current Orion permissions wouldn't allow them to do, you have a couple of options.  The simplest thing would be to give the users additional permissions

In your screen shot they are 'administrators' under IP ADDRESS MANAGER SETTINGS .

The cannot add subnets via my script. if I make them global solarwinds administrators they can.

How do I go about troubleshooting why they cannot? If they open the web GUI they can add / delete / modify subnets. but from the script they cannot.

0 Kudos

It's possible that this is a bug that has been addressed in some release after IPAM 4.5.1.  I'm testing with IPAM 2019.4.  I created a new account and did not grant any global administrator rights:

pastedImage_0.png

I left all the defaults for this account except in the IPAM settings, where I made the user an IPAM admin:

pastedImage_1.png

Then I ran a very simple PowerShell script based on the documentation for the CreateSubnet verb on IPAM.SubnetManagement at https://github.com/solarwinds/OrionSDK/wiki/IPAM-4.7-API :

Import-Module SwisPowerShell

# Connect to SWIS

$hostname = "myorion.mydomain.local"

$username = "CaptainIPAM"

$password = "notARealPassword"

$swis = Connect-Swis -host $hostname -Username $Username -Password $Password

Invoke-SwisVerb $swis IPAM.SubnetManagement CreateSubnet @("10.10.1.0", "21")

The script executes successfully...

PS C:\Users\dan.jagnow> c:\Users\dan.jagnow\LongPathHere\IPAMCreateSubnet.ps1

nil  xmlns                                                                          d1p1                                          i

---  -----                                                                          ----                                          -

true http://schemas.datacontract.org/2004/07/SolarWinds.InformationService.Contract http://schemas.datacontract.org/2004/07/System http://www.w3.org/2001/XMLSchema-instance

PS C:\Users\dan.jagnow>

... and I see the subnet created:

pastedImage_4.png

If this looks similar to the steps you followed, then it's possible that upgrading to the latest IPAM is your best solution.

0 Kudos

just for the sake of completion, can you run using the CRUD operations ---

new-swisobject -swis $swis -entitytype 'IPAM.Subnet' -properties @{Address='10.10.10.0'; CIDR=24; Comments="test"; DisableNeighborScanning=$true}

We are looking to upgrading the solarwinds suite however we need to upgrade to windows 2016 infrastructure  first which is months away.

0 Kudos

I replaced the final line in my PowerShell script with the line you proposed, ran it with an account with only IPAM access, and got this:

new-swisobject : Access to IPAM.Subnet denied.

At C:\Users\dan.jagnow\LongPathHere\IPAMCreateSubnetCrud.ps1:12 char:1

+ new-swisobject -swis $swis -entitytype 'IPAM.Subnet' -properties @{Ad ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : InvalidOperation: (:) [New-SwisObject], FaultException`1

    + FullyQualifiedErrorId : SwisError,SwisPowerShell.NewSwisObject

Then I ran the same code after switching to a global admin account, and it succeeded:

swis://myorion.mydomain.local/Orion/IPAM.Subnet/SubnetId=101,ParentId=0

0 Kudos

well, that pretty much proves that it's an API issue and it seems like my best option is to upgrade. But that is months away from now and this project will be over already.

Also, looks like the update function of the CRUD doesn't actually work either.

I think what I'm going to end up doing is making a powershell script that calls a server based script for the actual update with local accounts.

However, this leaves me with a password file on the server which i'm not a fan of.

0 Kudos