User permissions on objects

[abhi1693]

Using permissions, what's the way to restrict a non-admin user to a particular site? My use-case involves creating at least 60 users with access to different sites (1 or more). I looked into how the object permission model is written but it felt more like a model permission manager than an object.

Example:
User1 should only be allowed access to Butler Communications, DM-Akron
User2 should only be allowed access to Butler Communications, DM-Buffalo, MDF
User3 should only be allowed access to Beta Test

[jeremystretch]

You can accomplish this using permission constraints, but first you'll want to figure out the exact mechanism by which you're qualifying sites for access. Maintaining a static list of site names scales very poorly; limiting sites by group, region, tag, etc. would work better.

[abhi1693]

That's also a poor idea when you think of it. Because that way I need to create 1 permission per user and another one every time we add a new user to the system. Because it's not necessary that I'll have a lot of overlapping sites for such people.

Even if I do something like,

1. Create a user and assign under a tenant and map all the relevant objects to the tenant
2. Create object permission that allows the user to view all the objects

At this point, I need to clone this object permission for each user for each tenant and in the constraints add the ID for the tenant.

My end goal is to restrict user access to only those objects that are assigned to them. Now, your tenant model is almost provided in all places but I'm unable to figure out the best way to make it work without having issues with scalability.

Please advise.

[jeremystretch]

Why are you trying to assign individual users to individual objects? That's not a typical pattern, and not something NetBox is designed to accommodate. Most people map groups of users to groups of objects. If you want to make discrete individual assignments, then yes, you'll need to create one permission per object, and assign the desired users to each.

[abhi1693]

I'm trying to assign individual users to multiple objects. Our case requires us to provide visibility to our end-users to objects that are assigned to them. I initially started with creating a tenant and assigned everything relevant under the tenant. So, that in itself becomes either multiple objects or groups of objects (depending on how the mapping is done).

I want to avoid creating another app that would use the API to filter the objects by tenants and display them to the users.

My initial PoC requires building this for our corporate customers which can either be a company (groups of users) or an individual contractor. Using the tenant, I mapped all the users as contacts using the contact role as Corporate.

Now, each tenant should only see/edit (depending on the object's permission) only the objects under it.

I understand that Netbox was not set up that and is only meant for documenting the objects rather than managing them. And, that's what we are trying to do for our customers to give them visibility of what has been assigned to them.

I apologize if my original requirement was too vague. I was trying to get a sense of how complex permission can be set up easily.

I understand if this is too much to ask to build and is outside the scope of Netbox. We will continue to build our own separate applications to make this happen.