Assign Administrator Roles
Applies To: Windows Server 2012 R2, Windows Server 2012
Checklist: Assign Roles > Configure IPAM Server Roles > Assign Administrator Roles
Important
IPAM in Windows Server 2012 R2 includes a role based access control feature that enables detailed control of the procedures that IPAM users are able to perform. Role based access control adds permissions to the user’s existing access permissions. You cannot deny permission for a user with an access policy. If a user already has permission granted to perform a procedure because they are a member of one or more IPAM administrator groups, they will continue to have that permission even if they have only limited rights granted by role based access polices. If you have deployed IPAM on Windows Server 2012 R2, it is recommended to use the new access control feature available in this version of IPAM. Do not assign IPAM administrator roles using the procedures in this topic unless you do not need to enable fine-grained access control for IPAM tasks. For more information, see Access Control.
Membership in the Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
Assigning IPAM administrator roles
Use the following procedures to assign IPAM administrator roles using built-in local security groups on the IPAM server:
To assign IPAM administrator roles
On the IPAM server, click Tools on the Server Manager menu and then click Computer Management.
In the Computer Management console tree, open Local Users and Groups and then click Groups. The following local IPAM security groups are displayed:
IPAM Administrators: IPAM administrators can view all IPAM data and manage all IPAM features.
IPAM ASM Administrators: IPAM address space management (ASM) administrators can manage IP address blocks, ranges, and addresses.
IPAM IP Audit Administrators: IPAM IP audit administrators can view IP address tracking data.
IPAM MSM Administrators: IPAM multi-server management (MSM) administrators can manage DNS and DHCP servers.
IPAM Users: IPAM users can view information in IPAM, but cannot manage IPAM features or view IP address tracking data.
To add a user or group to the group, double-click the group, click Add, type the username under Enter the object names to select, and then click OK.
Verify that the user you added is displayed under Members.
.jpeg)
To remove a user or group from the group, click the user under Members and then click Remove.
To add or remove another user or group, repeat this procedure.
Click OK when you are finished, and then close the Computer Management console.
The following table summarizes IPAM actions and functions that are permitted or denied with membership in the specified security group. Access rights are additive if a user or group is a member of multiple security groups.
Security Group |
Server Inventory |
IP Address Space |
Monitor and Manage |
Event Catalog |
IP Address Tracking |
Common Management Tasks |
|---|---|---|---|---|---|---|
IPAM Administrators |
Manage |
Manage |
Manage |
View |
View |
Manage |
IPAM ASM Administrators |
Manage* |
Manage |
View |
View |
Denied |
Manage |
IPAM IP Audit Administrators |
Manage* |
View |
View |
View |
View |
Manage |
IPAM MSM Administrators |
Manage* |
View |
Manage |
View |
Denied |
Manage |
IPAM Users |
View |
View |
View |
View |
Denied |
View |
*If the Group Policy-based automatic provisioning method is used, GPO access permission must be delegated to add or remove servers from GPO security filtering.
Common management tasks include:
Connect to an IPAM server
IPAM settings:
Configure server discovery
Configure custom fields
Configure utilization threshold
Starts server discovery
Retrieve all server data
Members of the local Administrators group on the IPAM server also have permission to modify the server inventory and perform common management tasks.
If a user does not have sufficient privileges to perform an action, they will receive an alert that is unique to the action they are attempting to perform.
.jpeg)