I work for a large organisation which has chosen to utilise Solarwinds IPAM for organisation-wide management of address space. We're running IPAM version 4.3.2 - upgrading will be difficult to achieve here, but if it absolutely had to happen maybe it could... eventually.
I'm responsible for the network of one business unit (let's call it BU1) of this company (there are about 4 business units) and my BU (BU1) has been allocated a block of private address space (10.8.0.0/16) to do with as we please.
What I'm trying to figure out is if it is possible to create a supernet in a manner that prevents other IPAM users from creating subnets which belong within that Supernet. I can't currently test this myself as the permissions on the server are so broad (and applied globally, not on the individual groups/supernets/subnets in the tree) that all users can create groups, supernets and subnets anywhere - but if it's possible, I can try to get the server admins to change the global permissions config to facilitate this.
To elaborate - if I create an address group, and a supernet within that group, then lock down the permissions on the group and the supernet so that only members of "BU1 admins" can modify and create entries within that structure, will IPAM prevent someone from "BU2 admins" creating a subnet which belongs inside "my" supernet, elsewhere in the structure? I feel it should, but I have a bad feeling it might not.
Our IPAM structure looks something like this: (heavily simplified, but enough to demonstate the issue - the below is much cleaner than the reality here)
- IP Networks
- BU1 [group]
- 10.8.0.0/16 [supernet]
- Site A 10.8.1.0/24 [subnet]
- Site B 10.8.2.0/24 [subnet]
- 10.8.0.0/16 [supernet]
- BU2 [group]
- 192.168.0.0/16 [supernet]
- 172.16.1.0/24 [subnet]
- 172.16.2.0/24 [subnet]
- Metro Sites [group]
- 10.12.0.0/16 [supernet]
- Site C: 10.12.1.0/24 [subnet]
- 10.12.0.0/16 [supernet]
- BU1 [group]
- BU3 [group]
- 172.16.3.0/24 [subnet]
- 10.10.0.0/16 [supernet]
- Metro sites [group]
- Site D: 10.14.1.0/24 [subnet]
- BU3 [group]
So back to the scenario - I'm responsible for BU1's address space, 10.8.0.0/16. I believe I can lock down the permissions (by removing the global config permissions and instead applying permissions at the group level) so that only members of "BU1 admins" can create supernets, subnets and groups inside the BU1 section. But if I do this, will it prevent someone from creating an allocation of say 10.8.10.0/24 inside BU2/Metro Sites? This is a subnet of 10.8.0.0/16 and right now, it's possible to create a subnet of that supernet anywhere in the structure (which doesn't make sense to me) - I need to prevent from happening - is IPAM smart enough to know that if the permissions on the 10.8.0.0/16 supernet are locked down, subnets of that supernet cannot be created by people who don't have permission on the 10.8.0.0/16 supernet structure?