Access Control
Applies To: Windows Server 2012 R2
This topic contains information and procedures you can use to configure role based access control in IPAM. Role based access control is new in IPAM in Windows Server 2012 R2. You cannot configure role based access control on an IPAM server running Windows Server 2012.
Also see Configure Role Based Access Control in the IPAM deployment guide.
Role based access control is comprised of roles, access scopes, and access policies:
Roles: A role is a collection of IPAM operations. You can associate a role with a user or group in Windows using an access policy. Several built-in roles are provided, but you can also create customized roles to meet your business requirements.
Access scopes: An access scope determines the objects that a user has access to. You can use access scopes to define administrative domains in IPAM. For example, you might create access scopes based on geographical location. By default, IPAM includes an access scope of Global. All other access scopes are subsets of the Global access scope. Users or groups that are assigned to the Global access scope have access to all objects in IPAM that are permitted by their assigned role.
Access policies: An access policy combines a role with an access scope to assign permission to a user or group. For example, you might define an access policy for user1 with a role of IP Block Admin and an access scope of Global\Asia. Therefore, user1 will have permission to edit and delete IP address blocks that are associated to the Asia access scope. This user will not have permission to edit or delete any other IP address blocks in IPAM.
Important
Access control settings add permissions for an IPAM user or administrator to their existing set of permissions. You cannot deny permissions for a user or administrator using access control. For example, if a user is a member of the IPAM Administrators group on the local IPAM server, then they will have unrestricted access to IPAM and any access control settings that are configured will not affect this user.
Configure access control
The following is an example of how to configure a new user role, access scope, and access policy. After configuring an access policy, verify that the user only has permissions that are assigned using these settings. You must have at least one DHCP scope and IPAM user account available to test the access control settings.
Create new user role named DHCP Scope Editor with only Edit DHCP Scope permission
Create an access policy for a user and assign the DHCP Scope Editor role for the custom access scope
Create new user role named DHCP Scope Editor with only Edit DHCP Scope permission
Click ACCESS CONTROL, right-click Roles, and then click Add User Role.
Type DHCP Scope Editor next to Name.
Expand DHCP scope operations to view the list of all available operations.
Select only the Edit DHCP scope operation, and then click OK.
Create a new access scope under the Global access scope
Right-click Access Scopes and then click Add Access Scope.
Click New, type a name for the access scope next to Name, click Add, and then click OK.
Set the access scope on a DHCP Scope
Click DHCP Scopes, right-click a DHCP scope, and then click Set Access Scope.
Clear the Inherit access scope from parent checkbox.
Click the access scope you created under Global, and then click OK.
Verify that \Global\<access scope> is displayed under Access Scope.
Create an access policy for a user and assign the DHCP Scope Editor role for the custom access scope
Click ACCESS CONTROL, right-click Access Policies, and then click Add Access Policy.
Click Add, type <domain>\<user>, for example: contoso\user1, and then click OK.
Tip
If you didn’t create a user account to test, create it before proceeding. You must be able to sign in with this account’s credentials.
Under Access Settings, click New.
Under Select role, choose DHCP Scope Editor.
Under Select the access scope for the role, click the access scope you created, click Add Setting, verify that the new role and access scope is displayed under Access Settings, and then click OK.
Sign in on the IPAM server with the user account and verify that this user is only able to perform the operations assigned by the DHCP Scope Editor role and only on the specified DHCP scope
Sign out or switch users on the IPAM server, and then sign in with the user account that was assigned access control settings.
Launch Server Manager and click IPAM.
Click DHCP Scopes, right-click a scope that is not a member of the access scope permitted by the access policy that you created, for example \Global , and then click Edit DHCP Scope.
Change the Scope name and then click OK.
Review the error message displayed. Under Details, a message is displayed indicating that the user does not have privileges to perform this action. Click Cancel.
Right-click a DHCP scope that is a member of the access scope granted to the user account, and then click Edit DHCP Scope.
Change the Scope name and then click OK.
Verify that the operation is successful.
Sign out and then sign in again with IPAM Administrator privileges.