Page 256 of 472 in "Security Group Management" is where API documentation starts.
If I wanted to give Read/Write/Create/Delete access for a zone I could do this:
Generic: https://api.ultradns.com/accounts/accountName/groups/groupName (PATCH)
Specific: https://api.ultradns.com/accounts/ultrasupport/groups/Newgroup (PATCH)
{
"entries": [
{"type": "ACCOUNT", "permission": "READ"},
{"type": "DOMAIN_SERVICES", "permission": "READ"},
{"type": "ZONE", "permission": "READ"}
],
"exceptions":
{
"exceptions":
[{"type": "ZONE", "name": "anotherseatest2.com.", "permission": "DELETE"}]
}}
If I wanted to give read/write/create/delete access for a particular CNAME I could do this:
Generic: https://api.ultradns.com/accounts/accountName/groups/groupName (PATCH)
Specific: https://api.ultradns.com/accounts/ultrasupport/groups/Newgroup (PATCH)
{
"entries": [
{"type": "ACCOUNT", "permission": "READ"},
{"type": "DOMAIN_SERVICES", "permission": "READ"},
{"type": "ZONE", "permission": "READ"}
],
"exceptions":
{
"exceptions":
[{
"groupName": "Newgroup",
"type": "CNAME",
"name": "benefits.anotherseatest2.com.",
"permission": "DELETE"
}]
}}
If I wanted to set read/write CNAME for a group at account-level I could do this:
Generic: https://api.ultradns.com/accounts/accountName/groups/groupName (PATCH)
Specific: https://api.ultradns.com/accounts/ultrasupport/groups/Newgroup (PATCH)
{
"entries": [{
"type": "CNAME",
"permission": "WRITE"
}]
}
Please note that the account-level ZONE setting needs to be set to read for any account-level RRSET-type entries to have an effect.
Scenario 1:
User has account-wide Zone read.
User has account-wide CNAME read/write/create/delete.
...
User is able to see all domains.
User can read/write/create/delete CNAME's in all domains.
User cannot write/create/delete other rrytpes.
Scenario 2:
User does not have account-wide Zone read.
User has account-wide CNAME read/write/create/delete.
User has read access to domain1.com.
User can read/write/create/delete CNAME's in all domains.
...
User is able to see domain1.com.
User cannot read/write/create/delete CNAME's in any domains including domain1.com.
User cannot write/create/delete other rrytpes.
Conclusion: Account-wide Zone read is required to be able to utilize any of the account-level rrset permissions. While the UI allows you to set account-level RRSET permissions even without account level Zone (Domain) set to read, they do not function unless account-wide Zone read is set.
If I have account-wide read disabled, account wide cname rwcd enabled and have a particular zone that i have read on, i cannot add cnames for that zone.