Advanced Permissions
The Advanced Permissions option is a feature on the UltraDNS UI Portal that allows for the customization of individual users and/or groups to allow or restrict object level actions. The Object types work as a hierarchy, allowing you to grant or remove access to entire sections of the UI through a single permission.
The Object Levels are as follows:
-
Account (Manage Users, Primary User Details, Groups)
-
Domain Services (Manage a Domain)
-
Domain
-
Resource Records (Record and Pool Types)
-
-
-
Reports
Groups and Stand Alone Users
To access the list of groups and/or standalone users for your account:
-
Click Accounts from the left-hand navigation menu.
-
Select the Account Name you want to view the users and groups for.
-
Click on the Groups tab.
-
The bottom of the list displays the Not in a Group, which are the standalone users, or those users that have not yet been assigned to a group.
-
You can create a new group by clicking the Add Group button.
-
Each Account has three default groups that are created with set-level permissions that cannot be altered and cannot be deleted:
-
ADMINISTRATIVE- Users will have access to all account functions including being able to change the Primary user for the account. The Primary user and Administrative users are the only users that can invite new users to the account.
-
REPORTING - Users will have Read-only access for the entire account, meaning they cannot edit any account level or domain level details.
-
TECHNICAL - Users will have access to all account functions except for changing the primary user, and editing the Account Info (username and password).
Adding Users to a Group
To add an existing user to a group:
-
Select a user from a group, or from the Not in a Group (group).
-
Click the Move Users button.
-
In the Destination drop-down menu, select the new group the user will be moved to.
-
Click the Move button to remove the user from the previous group, and move them to the new group.
Viewing Permissions
Group Level Permissions
To view the permissions that are currently set for a group:
-
Click on a Group Name from the available list.
-
It does not matter if any users are assigned to the group or not.
-
-
Click the View Permissions button.
-
The hierarchical tree diagram displays the various object levels that you can set permissions for.
-
Move the slider bar right or left to increase or decrease the level of permission for a specific object type.
-
You will need to un-check the Inherit button from an object if you want to change the permission from the previous object type it was inherited from.
-
Inherit means that the selected object will acquire the permissions from the object that is above it in the hierarchy tree.
-
For example, if you set the permissions for Domain to Read Write Create, and then select the Inherit box for Resource Records, Resource Records will obtain Read Write Create permissions, and all of the record types that are under Resource Records will also obtain the Read Write Create permissions due to the trickle-down effect.
Object Level Permissions
Object Type |
Description |
---|---|
Account |
Controls the permissions for the entire account once you are logged in, and as such, acts as the top tier when setting permissions. |
Domain Services |
Controls the access that a user can have for all Domain features (i.e. creating domains, pools, and records). |
Domain |
Controls specifically the ability to create, edit, and delete domains (which includes the records and pools within the domain). |
Resource Records |
Controls the ability to create, edit, and delete pools and records. You can set the permissions for specific record and pool types as needed. |
Reports |
Controls whether or not Reports can be viewed, requested, and/or exported for the account. |
Stand Alone User Permissions
Stand Alone Users or the “Not in a Group” users, have their individual permissions set as they are not officially part of a group on the UI Portal. To set or view the permissions for a Stand Alone user:
-
From the Users and Groups tab, scroll to the bottom of the list and click on Not in a Group.
-
A list of all of the users that are not currently assigned to a group will appear.
-
-
Click the Permissions button next to the user that you want to view or set permissions for.
-
Use the slider bar to set the permission setting for each Object level for the user.
-
Click Save when you are finished.
Permission Level Explanations
The following table explains what each permission level signifies or allows a user to accomplish.
Permission Level Explanations
Permission |
Description |
---|---|
None |
The user does not have access to view the selected Object type. |
Read |
The user is able to view any content pertaining to the selected Object type. |
Write |
The user is able to edit (make changes to) content pertaining to the selected Object type. |
Create |
The user is able to create new content pertaining to the selected Object type. For example, a user could create a new Pool under the domain for an account and add new records to it. This also allows for the creation of a new Domain. |
Delete |
The user is able to delete content pertaining to the selected Object type. |
Grant |
The grant permission type allows the user to manage the Accounts section, which includes being able to change the Primary User, create new user accounts, and also set or remove Permissions and Exceptions. |
It is important to note that the Reports object type only operates on the None or Read permission type, meaning a user either has the ability to view and customize reports, or they do not.
As previously stated in the Advanced Permissions section, the permissions for the system generated groups (ADMINISTRATIVE, REPORTING, and TECHNICAL) cannot be altered. By assigning a user to any of the three groups, you are granting them the associated permissions by default.
Exceptions
The Exceptions tab displays all of the current permission exceptions that have been created for Users and Groups under the specified account.
When the permission level is set for an Object Type (i.e. Account, Domain, Resource Record etc.), every sub-Object adheres to that permission level; unless you create an exception. Let’s say for instance, you create Group A, and you set the permission level for Domain to READ WRITE, thereby allowing every user in Group A to View and Edit all domains. However, there is one specific zone that you don’t want the users in Group A to be able to edit, so you create an exception for that one zone, to set the permission level to READ only.
Creating an Exception
To create an exception for a Domain:
-
Find your desired Domain name from the Domains list, and then click the Key icon under the Perms heading.
-
The Permissions window displays all of the currently configured groups and standalone users, along with the permission level that each has for the specified domain.
-
Use the slider bar to set the desired permission level for each group or user for the current domain.
-
Standalone users (users not assigned to a group) will appear on the very last page of the Groups list.
-
-
Once you have set all of the new permissions for the desired groups / users, click the Save button.
-
Each group or user that had their permission changed will have a checkbox next to their name, as well as an arrow under the Exceptions header, indicating that an exception is currently in place for the specified domain (object).
Resetting Permissions and Exceptions
Once an exception has been created for a group, you can either reset the permission from the specific domain, or delete it from the Accounts section.
To reset an exception to a Domain:
-
Click the Key icon next to the domain that has the exceptions set.
-
Click into the checkbox for each Group or User you want to reset the permissions for.
-
Click the Reset Selected Permissions button.
The permissions will automatically revert back to the default permissions (or the last updated permissions from the Users and Groups section of the Accounts tab.
Viewing Exceptions
To see a list of the current exceptions for an account:
-
Click on Accounts from the left-hand navigation menu.
-
Select the desired Account Name.
-
Click on the Exceptions tab. The Permission Exceptions menu will appear.
-
Each exception provides the following details:
-
User/Group – The current User or Group that has the exception.
-
Object – The specific object name being impacted. (i.e. a zone name)
-
Object Type – The category to which the Object belongs.
-
For example, if a specific zone has been given the exception, the Object Type will be Zone.
-
-
Permission – The current permission level (with the exception included) that is impacting the object.
Edit an Exception
To edit an exception from the Permission Exceptions menu:
-
Click the pencil icon next to the exception that you want to edit.
-
Use the slider bar to change the permission level for the object.
-
Once done, click the checkmark icon.
-
Clicking the X icon will cancel the change you’ve made.
-
Delete an Exception
To delete an exception that has been created for the account:
-
Click the checkbox next to the exception that you want to delete.
-
Click the Delete Selected Exceptions button.
-
Click the Delete button to confirm the deletion of the exception.
-
Deleting an exception will not change the base permission for the User or Group, it will only remove the exception that was placed on the specific Object.
-