All FusionLayer NameSurfer users receive their access restrictions according to the specific user group(s) they belong to.

For example,

Group 1 has access to zone a.x
Group 2 has access to zone b.x

User 1 is a member of both Group 1 and Group 2 and thus has access to zones a.x and b.x.
User 2 is a member of Group 2 only and thus has access only to zone b.x.

The installation script creates the default group called "admingroup" and one user in this group - the username and password for this user are input during installation. This default user is capable of creating new groups and users and has full superuser privileges. It is recommend that a personal user account is created for each administrator even if they all belong to the "admingroup" group.

When needed, an administrator can create a user group and define proper access restrictions for it. Users can then be assigned to this group in order for the new restrictions to take effect for them. An administrator with full superuser privileges can create user groups with any privileges (even other superusers) in an unrestricted manner, while non-superuser administrators can only create and modify such group privileges that they themselves possess. E.g. a user with full group edit rights but limited access to DNS zones cannot create a group that has full access rights to all DNS zones.

On the group page you can add or remove a FusionLayer NameSurfer user group or change its attributes described below.

Group name

The name of the group, for example "admingroup". Accepted characters are letters (a-z), numbers (0-9), hyphen and underline character. Word space cannot be used.

Superuser privileges

A group with superuser privileges enabled has full access to all modules and data regardless of any other individual settings defined for that group. Superuser status for a group can be enabled or disabled only by a user having superuser privileges. A user who does not belong to a superuser-enabled group can only grant or revoke privileges which are defined by the group(s) in which that particular user is a member of. The only effective group-level access restriction for a superuser group is the Allow WWW access only from IP address range(s) setting.

Access to different FusionLayer NameSurfer modules

Each group has the following accessibility settings available for the FusionLayer NameSurfer modules listed below:

• Full access - when present, the group members can create / remove module contents in addition to modifying them. When this level does not exist for a module, modify rights also allow creating and removing.
• Modify - the group members can either create, modify and/or remove module contents.
• View - the group members can only view the module contents, but cannot change them.
• No access - the group members do not have any kind of access to the modules or to their contents.

Access to DNS: Forward and reverse zones and their nodes, DNS views and imports. For more detailed restrictions of the related attributes, please see below.

Access to Users: Gives the group access to user accounts. See also Access to Groups.

Access to Groups: Gives the group access to other user groups.

Access to Keys: Gives the group access to TSIG and NSAPI keys.

Access to IP Addresses: Gives the group access to IP Address Management.

Access to Remote Servers: Gives the group access to Remote servers (DNS and DHCP). A more refined access level can be managed at Remote server restrictions. One additional access level exists for remote servers access:

• Assign only - the group members can assign remote DNS secondaries to zones, and/or bind DHCP servers to IP blocks as allowed by the server type and name patterns. They do not have access to he remote servers module and cannot manually view, edit, upload or reload remote server configurations.

Information

Group description: A textspace for a description of the group, visible also in the Group listing display.

Status: Groups are enabled by default. If this is set to disabled then all group members are unable to log in (unless they also belong to another group which is enabled).

Users of this group

Users:
If javascript is enabled and NameSurfer has more than 10 users:
The users section displays the first 10 users that belong to the group. If more than 10 users belong to the group a '...' is displayed at the end. Group's users can be edited by pressing the edit button which opens a new window. From this window you can add or remove users providing that you have sufficient access rights. Remember to save your changes after closing the edit window.
If javascript is disabled or NameSurfer has less than 10 users:
All users will appear with checkboxes in front of the their names. You can modify the group's users by ticking or unticking checkboxes.

Resource allocation

Allocate IP addresses from range(s): If the group has been given access to IP Addresses (see above), these textfields can be used to define a specific range (or ranges) of IPv4 addresses for automatic allocation.

When displaying the form for adding a new host to the DNS, FusionLayer NameSurfer will automatically search this range (or these ranges) for unused addresses from the related reverse (in-addr.arpa) zones. If multiple ranges are defined, a list of available ip-addresses is shown.
NOTE! If the correct reverse zone is not found, or is not administered on this name server, field will be left empty.

The first unused address will be offered as a default for the host address field. If the fields are left blank, no automatic address allocation will take place.

WWW Access

Allow WWW access only from IP address range(s): These textfields can be used to permit the user to log in to FusionLayer NameSurfer only from Web browsers running on a specific network or host, by defining a range of allowed IP numbers.

There are two entry fields, defining the lower and inclusive upper end of the range, respectively. For example, entering 192.168.23.0 and 192.168.23.255 will allow access only from the class C network 192.168.23. Entering the same IP number in both fields will restrict the user to logging in from a single host. If the field is left blank, the user may log in from any host.

Group and user restrictions

These fields allow setting up name patterns for group(s) and user(s) that members of this group are allowed to view/edit according to the level set by the Access to Groups and Access to Users module rights. Unless the group is a superuser group, the module level rights are only valid to the groups or users whose name is within the defined name patterns.

Remote server restrictions

A group can have privileges to Remote Servers (DNS and DHCP) defined at the Access to Remote Servers. With this module the definitions can be made more specific to apply only to certain server types and servers.

• Access to remote DNS servers If enabled, the group can access the remote DNS servers defined by the Remote DNS server name pattern(s).


• Remote DNS server name pattern(s) Name pattern(s) for the remote DNS servers that the group will be granted access to if the Access to remote DNS servers is enabled.


• Access to remote DHCP servers If enabled, the group can access the remote DHCP servers defined by the Remote DHCP server name pattern(s).


• Remote DHCP server name pattern(s) Name pattern(s) for the remote DHCP servers that the group will be granted access to if the access to Remote DHCP servers is enabled.

Access restrictions

Restrict editing to specific record type(s): When a new group is created, all it's members have rights to modify all record types by default. This is indicated by marked checkboxes. In order to restrict group's access to specific record types, please unmark the appropriate checkboxes. All checkboxes can be marked or unmarked by using buttons All and None.

Access to zone(s):
If the group has been given access to DNS (see above), the contents of these textboxes define the zones which are listed on the DNS index page (forward zones list), and of which contents can be viewed on the zone page.

You may fill in the appropriate zone names or name patterns to define the zones the group members have access to. Asterisk (*) can be used as a wildcard at the beginning or at the end of a character string: example*.com, *example. If the textbox is empty, the group members have access to none of the zones. A sole asterisk in the textbox gives access to all zones.

Access to reverse zone(s): If the group has been given access to DNS (see above), the contents of these textboxes define the reverse zones which are listed on the DNS index page (reverse zone list), and of which contents can be viewed on the reverse zone page.

You may fill in the appropriate zone names or name patterns to define the zones the group members have access to. An asterisk (*) can be used as a wildcard at the beginning or at the end of a character string. If the textbox is empty, the group members have access to none of the reverse zones. A sole asterisk in the textbox gives access to all reverse zones.

Access to view(s): If the group has been given access to DNS (see above), the contents of these textboxes define one or several DNS views the group has access to.

You may fill in the appropriate name or a name pattern to define the DNS views the group members have access to. An asterisk (*) can be used as a wildcard at the beginning or at the end of a character string. If the textbox is empty, the group members have access to none of the views. A sole asterisk in the textbox gives access to all views.

Access to node pattern(s): If the group has been given access to DNS (see above), the contents of these textboxes define one or several node name patterns for the group has access to, and which nodes are listed on the zone page.

You may fill in the appropriate name or a name pattern to define the nodes the group members have access to. An asterisk (*) can be used as a wildcard at the beginning or at the end of a character string. If the textbox is empty, the group members have access to none of the nodes. A sole asterisk in the textbox gives access to all nodes.

Permitted IPAM Owner(s): If the group has been given access to IP Addresses (see above), by selecting one or several owners displayed here the groups gain access to the IP Address data owned by the specific owners which are listed in the database.

You may fill in the appropriate owner name or an owner name pattern into the textfield to define access for the owners which are not yet listed in the database. An asterisk (*) can be used as a wildcard at the beginning or at the end of a character string. If the textbox is left empty and none of the owners' checkboxes are ticked, the group members have access to none of the nodes. A sole asterisk in the textbox gives access to all owners.

Allow management of IPAM hosts on Modify level If the group has been given Modify access to IP Addresses, members of the group will only be able to edit information and settings connected to existing entities in the IP address management database. Enabling this setting will give the members of the group an exceptional right to also add and remove hosts and related items in locations where host items may be present.

Access to IP Address range(s): If the group has been given access to IP Addresses (see above) and/or access to DNS (see above), the contents of these textboxes define the set of IPv4 address ranges which the group members have access to. These ranges are used by both DNS and IP Addresses modules.

Multiple address ranges may be entered by pressing the "OK" button after entering the first one.

In addition to specifying ranges of addresses, the access restrictions may be entered as a prefix/bitmask pair. In such a case only the first textfield (intended for entering the beginning of the range) may be used, and it must contain the address prefix and bitmask value separated by a slash (/) sign.

Example of a normal range: 192.168.23.0 - 192.168.23.47

Example of a prefix range: 192.168.23.0/22

Access to IP6 address range(s): If the group has been given access to IP Addresses (see above) and/or access to DNS (see above), the contents of these textboxes define the set of IPv4 address ranges which the group members have access to. These ranges are used by both DNS and IP Addresses modules.

Multiple address ranges may be entered by pressing the "OK" button after entering the first one.

In addition to specifying ranges of addresses, the access restrictions may be entered as a prefix/bitmask pair. In such a case only the first textfield (intended for entering the beginning of the range) may be used, and it must contain the address prefix and bitmask value separated by a slash (/) sign.

Example of a normal range: 0:0:0:0:0:0:0:0 - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

Example of a prefix range: 2000:aa10:0:0:0:0:0:0/32

Allow A6 prefix: If the group has been given access to IP Addresses (see above) and an A6 prefix is input into this textbox, the group members are allowed to create IPv6 addresses beginning with that prefix into A6 DNS records.

A group can be copied by clicking the "Copy group" link in the navigation menu. A new group name can be entered in the input field displayed. Default name is the original with "_copy" suffix. The users of the original group are not copied to the new one.

After entering new data for a group, press the OK button to perform the change. If you wish to remove a group, press Remove.

When copying a group, Copy button is displayed, which performs the function.

Access to objects can be restricted by checking the "Access to object by tag" under the section "Restrict access to zones based on tag values" and by specifying a set of tags that are associated to the group. A user belonging to a group with tag-restrictions can then only access objects that have at least one of the tags specified.

If a user belongs to several groups with tag-based access restrctions, then the set of tags that grant tag-based access to a user, is the union of tags specified in all of the user's groups. If a user belongs to at least one group that does not have tag-based restrictions specfied, then the user is considered not to have any tag-based restrictions at all.

Please see the separate documentation about tagging for more information.