Windows
Server 2012 R2 includes RBAC for IPAM. RBAC allows you to customize how
administrative permissions are defined in IPAM. For example, some people are
assigned the role of administrator and are able to manage all aspects of IPAM,
while other administrators may only be allowed to manage certain network
objects. By default, all objects inherit the scope of their parent object. To
change the Access Scope of an object, right-click the object and click on Set
Access Scope.
RBAC
security is divided into the following three aspects, roles, access scopes, and
access policies:
•
Roles. A role is a collection of IPAM operations. The roles define the actions
an administrator is allowed to perform. Roles are associated with Windows
groups and/or users through the use of access policies. There are eight
built-in RBAC roles for IPAM. New roles are created and added in the IPAM
console, in the ACCESS CONTROL pane.
- The
built-in roles for IPAM are:
|
Name
|
Description
|
|
DNS record administrator
|
Manages DNS resource records
|
|
IP address record administrator
|
Manages IP addresses but not IP address spaces, ranges,
blocks, or subnets.
|
|
IPAM administrator
|
Manages all settings and objects in IPAM
|
|
IPAM ASM administrator
|
Completely manages IP addresses
|
|
IPAM DHCP administrator
|
Completely manages DHCP servers
|
|
IPAM DHCP reservations administrator
|
Manages DHCP reservations
|
|
IPAM DHCP scope administrator
|
Manages DHCP scopes
|
|
IPAM MSM administrator
|
Completely manages DHCP and DNS servers
|
Access
scopes. Access scopes define the objects to which an administrator has access.
By default, the Global access scope is created when IPAM is installed, and all
administrator-created access scopes are sub-scopes of the Global access scope.
Users or groups assigned to the Global access scope can manage all the network
objects in IPAM. Access scopes have up to 15 major operations that can be
assigned, such as DHCP server operations. These are further defined by multiple
related operations, such as Create DHCP scope, that can be assigned
individually. This allows for a large customization range for administrative
permissions in IPAM. New access scopes are created and added in the IPAM
console, in the ACCESS CONTROL pane.
• Access Policies. An access
policy combines a role with an access scope to assign RBAC permissions within
IPAM. New access policies are created and added in the IPAM console, in the
ACCESS CONTROL pane.
0 التعليقات:
إرسال تعليق