User permission using a constraint negation?

[AnythingOverIP]

Hey guys,

I would like to find a way to restrict some users (members of a group) to have access to IP information of a single VRF. We have a contract requirement that mandate us to minimize data access only to personnel having a contract specific security clearance.

Looking at https://netbox.readthedocs.io/en/stable/administration/permissions/ , it seems that it does only Django filter() method, which does not contains any negation operator (not equal to, does not contain, does not start with, etc...) . Per my findings, those are included in Django exclude() method.

Is there a way to allow users to see "everything but VRF x?" I seems that I could restrict it, by manually listing all current VRFs, but as the list will grow, the filters would need to be updated. Any ways to somehow negate a constraint in a permission filter?

[hagbarddenstore]

I too would like this. I have the need to hide certain tenants and their things.

…

Sent from my iPhone

On 26 Feb 2022, at 18:55, thefreakquency ***@***.***> wrote:  Hey guys, I would like to find a way to restrict some users (members of a group) to have access to IP information of a single VRF. We have a contract requirement that mandate us to minimize data access only to personnel having a contract specific security clearance. Looking at https://netbox.readthedocs.io/en/stable/administration/permissions/ , it seems that it does only Django filter() method, which does not contains any negation operator (not equal to, does not contain, does not start with, etc...) . Per my findings, those are included in Django exclude() method. Is there a way to allow users to see "everything but VRF x?" I seems that I could restrict it, by manually listing all current VRFs, but as the list will grow, the filters would need to be updated. Any ways to somehow negate a constraint in a permission filter? — Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you are subscribed to this thread.

[jeremystretch]

This was proposed under #4949. Ultimately, it wasn't pursued both due to a technical hurdle that would need to be overcome, as well as a general inadvisability toward the approach itself (see my comment here).

[AnythingOverIP]

Thanks for the explanation @jeremystretch ! In understand the general inadvisability comment but as it it "general" it does not apply everywhere... In our case, we really need to NOT provide access to an element for some users, but whoever is accessing Netbox should see anything else.

I was wondering if the following avenue has been explored?

As per documentation:

[
{"site__name__in": ["NYC1", "NYC2"]},
{"status": "offline", "tenant__isnull": true}
]

is equivalent to:

Site.objects.filter(
Q(site__name__in=['NYC1', 'NYC2']),
Q(status='active', tenant__isnull=True)
)

Would'nt it be possible to do negate a Q object like this?

Site.objects.filter(
~Q(site__name__in=['NYC1', 'NYC2']),
Q(status='active', tenant__isnull=True)
)

In the previous example, Site would not be NYC1 or NYC2, but active and without tenant.

If we were to write the following

[
~{"site__name__in": ["NYC1", "NYC2"]},
{"status": "offline", "tenant__isnull": true}
]

could Netbox pass the ~ before Q? This seems to me way much easier than trying to leverage exclude()
Ref: https://docs.djangoproject.com/en/4.0/topics/db/queries/#complex-lookups-with-q

[AuthenticAMD]

I would be interested in permissions to limit access so that a tenant can update their own VRF information but not anything else.

[joaolucasmacedo]

I would be interested in permissions to limit access so that a tenant can update their own VRF information but not anything else.

You can easily do so by making permission sets and constraints. I usually do it.
Like, I can give access to a customer and he has access only to its objects by its tenant.

[alexanderd24]

We're also interested in limiting users/groups access to certain objects (tenants, VRFs, sites).

[joaolucasmacedo]

We're also interested in limiting users/groups access to certain objects (tenants, VRFs, sites).

You can easily do so by making permission sets and constraints. I usually do it.
Like, I can give access to a customer and he has access only to its objects by its tenant.

It would be nice to have it ready to deploy, but nowadays I have to manually set it up.

[viroge]

We would also need this: we have ~4500 devices, ~1500 VMs and ~50 tenants, who are basically the owners of these devices + VMs. We would need some of these tenants to be restricted, some generally available.
For example:

• on tenant1 (which owns a subset of devices + VMs) only group1 can make any changes
• on tenant2 (which owns another subset of devices + VMs) only group2 can make any changes
• on tenant3 (which owns a 3rd set of devices + VMs) everyone is allowed to make any changes

Without being able to negate it would be pretty painful to implement such a permission scheme.

[iansolt]

This would be nice to have. There are departments at our org who need to create objects manually, but we also have information synced from an external source to enable automations. We have tens of thousands of of tenants/locations, and being able to blacklist via a tag would let us segregate everything in an ideal way.