Creating Approval Workflows for Users with Taskbar Permissions

advertisement
Creating Approval Workflows for Users with Taskbar Permissions
The purpose of this document is to help the community in creating a limited-access permissions group
that requires approvals for adding DNS or DHCP data via the Tasks sub-menu located in the Dashboards
area of the GUI. This document takes information from different areas of the NIOS Administration
Guide and the specific chapters of the NIOS Administration Guide are referenced if you require
additional information. The Infoblox Grid Manager GUI has a help context located on the right side of
the GUI screen for main areas and the pop-up wizards if you need assistance during configuration.
Planning
We need a plan to configure the Infoblox Grid Manager for these users, so the most important question
is – what are the common actions associated with these users? Are they going to be entering IP
addresses for printers, adding networks, creating DNS Host or CNAME records? Once you have
determined the types of entries the users will be doing, we can then proceed forward with configuring
the Infoblox Grid Manager. The example users need access to all of those areas and we can now
proceed with configuring the product.
The major steps are:
1. Creating an IPAM Tasks template specifically for these users. There exists a default
template that can be used if you do not want to create one.
2. Create a limited-access permissions Group for these users using predefined roles and
only having access to the Dashboard area of the Infoblox Grid Manager.
3. Create local users and assign them to the newly created Group. (Instead of creating
local user accounts, you can configure the Infoblox Grid Manager to authenticate users
with one of the following services: Active Directory, LDAP, RADIUS or TACACS +. User
authentication with remote user datastores is beyond the purview of this document.
Please refer to the NIOS Administration Guide, Chapter 4, for this configuration.)
4. Create an Approval Workflow for the users belonging to the limited-access permissions
group.
Step One: IPAM Tasks Template (NIOS Administrator Guide, Chapter 2, About Dashboard Templates)
Creating this template requires you click on the “Dashboards” area of the GUI, and then click on the
“Tasks” sub-menu. The configuration steps are:
1. From the Dashboards -> Tasks tab, click the Configure icon at the top right corner of a
task pack.
2. Select tasks from the Active Tasks table and use the left arrow to move them to the
Available Tasks table to hide them, and vice versa. Grid Manager shows the tasks placed
in the Active Tasks table.
3. At the top right corner of the Tasks Dashboard panel, click the Configure icon > Configure Template.
4. In the Dashboard template configuration section, click Create new template.
5. In the Save Dashboard Template dialog box, complete the following:
6. Name: Enter a name for the new dashboard template.
A. Locked: When you select this check box and assign this template to an admin
group, users in the admin group can only perform the tasks you define to
appear in the template. They cannot configure their dashboards. When you
clear this check box, users can still only see the tasks you configure for this
template, but they can configure tasks in the task packs on their dashboards.
When you lock a template, it applies to all users in the admin group, including
those with customized dashboards.
7. Click Save & Close.
Step Two: Limited-Access Permissions Group (NIOS Administrator Guide, Chapter 4, About Admin
Groups, Creating Limited-Access Admin Groups)
The second action is to create a group with limited-access permissions for these users. You create the
group in the Administration area of the GUI, and click on the Administrators sub-menu to select the subtab labeled “Groups”.
We create a group by clicking on the Groups sub-tab and pressing on the “+” icon in the GUI.
A
wizard pops up to assist in the creation of this group with five steps to complete. To be fair, steps 1-4 are
required while step 5 is optional, but the wizard will step through the entire process.
1. Name the Group and add a comment if you wish. The name in this example is “Task
Bar”.
2. There are three options in this step:
A. Check the “Superusers” box for full-access to all Grid actions. Do not check this
box for this group
B. A “Roles” table that has predefined permissions created for you. Click on the “+”
icon and select “DHCP Admin”, “DNS Admin” and “Grid Admin” when the Role
Selector dialogue window launches. You will have to execute this action three
separate times to add the roles.
C. Two checkboxes for “Allowed Interfaces”. The choices are “GUI” and “API”. If
your users will only be accessing the Infoblox Grid Manager via the GUI, check
the “GUI” box. If your users will be accessing the Infoblox Grid Manager via the
PERL or REST interfaces, check the “API” box.
3. This is where you restrict the group to using the Tasks area only in the GUI by clicking
the box labeled “Display Taskflow Dashboard Only”. To restrict users to specific tasks,
click the down arrow to select your created dashboard template or select “default” if
you did not create a template previously in Step One. (Note: You can always create the
dashboard template and apply it to the Group configuration at a later time.)
4. Add admin email addresses if you want to send approval workflow notifications to a list
of email addresses by clicking on the “+” icon and Grid Manager adds a row to the table.
5. Optional. Add extensible attribute data for easier searching in the database by
attribute. For example, if you had a value of “Help Desk Admins” for an extensible
attribute labeled “Department”, you could conduct a global search against
“Department” and the value would display. (Further information on Global Search and
Extensible Attributes can be found in the NIOS Administration Guide, Chapters 1 and 7).
We also have to add a custom permission to this group allowing them access to the dashboard tasks.
You create this custom permission in the Administration area of the GUI, and click on the Administrators
sub-menu to select the sub-tab labeled “Permissions”.
Click on the “+ Create New Permission” icon in the GUI and select Global Permissions. A permissions
wizard will appear and we will be adding our custom group permission.
1. Select the Group Permission radial button, and press on the down arrow to select the
name of the limited-access Group you created in Step 2.
2. Click on the down arrow next to Permission Type and select “Grid Permissions”. The
table underneath will display all the possible Grid Permissions to choose from.
3. Find the Grid Permission titled “All Dashboard Tasks” and check the box under the
column labeled “Read/Write”.
4. Click on “Save & Close” to save the custom group permission.
Step Three: Local User Creation (NIOS Administrator Guide, Chapter 4, Creating Local Admins)
Now we have to create a local user that belongs to the newly created group. You create the user in the
Administration area of the GUI, and click on the Administrators sub-menu to select the sub-tab labeled
“Admins”.
We create a user by clicking on the Groups sub-tab and pressing on the “+” icon in the GUI.
A wizard pops up to assist in the creation of this group with two steps to complete. Step 1 is required
while step 2 is optional, but the wizard will step through the entire process. The name of the sample
user is “task”.
1. The fields with the red asterisk next to them are required.
A. Login: Enter a username the user will use when logging in.
B. Password: Enter a password for the user when logging in.
C. Confirm Password: Re-enter the same password.
D. Email Address: Enter the email address for this administrator. Note that this address
simply provides contact information. The NIOS appliance does not send email
notifications to it. You define the email address for notifications in the grid
properties.
E. Admin Group: Click Select to specify an admin group. If there are multiple admin
groups, Grid Manager displays theAdmin Group Selector dialog box from which you
can select one. An user can belong to only one admin group at a time.
F. Comment: Enter useful information about the user, such as location or department.
G. Disable: Select this check box to retain an inactive profile for this administrator in
the configuration. For example, you might want to define a profile for a recently
hired administrator who has not yet started work. Then when he or she does start,
you simply need to clear this check box to activate the profile
2. Optional. Add extensible attribute data for easier searching in the database by
attribute.
Step Four: Approval Workflow (NIOS Administrator Guide, Chapter 1, Configuring Approval
Workflows)
The last action is to create an approval workflow which is tied to the limited-access group created in
Step Two. You create the group in the Administration area of the GUI, and click on the Workflow submenu.
Next, click on the Approval Workflows sub-tab and then click the “+” icon in the GUI to begin the
configuration.
A wizard pops up to assist in the creation with three steps to complete. Step 1 and 2 are required while
step 3 is optional, but the wizard will step through the entire process.
1. The fields with the red asterisk next to them are required.
A. Submitter Group: From the drop-down list, select the admin group whose
submitted tasks require approvals.
B. Approver Group: From the drop-down list, select the group that can approve tasks
submitted by admins of the submitter group.
C. Ticket Number: From the drop-down list, select whether the submitter must enter a
ticket number or not when submitting a task for approval. You can
select Required, Optional, or Not Used.
D. Submitter Comment: From the drop-down list, select whether the submitter must
enter a comment or not when submitting a task for approval. You can
select Required, Optional, or Not Used.
E. Approver Comment: From the drop-down list, select whether the approver must
enter a comment or not when approving a task. You can select Required, Optional,
or Not Used.
2. Adding notifications for approval workflows
A. Approver Notification Address(es): Select one of the following to specify to which
approver email addresses the appliance sends workflow notifications. The default
is Group Email Address(es).
I.
Group Email Address(es): Select this if you want the appliance to send
notifications to the list of email addresses configured for the admin group.
II.
User Email Address(es): Select this if you want the appliance to send
notifications to individual email addresses of the admin group.
B. Notifications sent on: Select the operations that can trigger email notifications.
When you select an operation, the appliance sends a notification each time that
operation occurs. By default, all operations are selected.
C. Approval Required: The appliance sends an email notification each time an approval
is required.
D. Task Approved: The appliance sends an email notification each time a task is
approved.
E. Task Rejected: The appliance sends an email notification each time a task is
rejected.
F. Task Succeeded: The appliance sends an email notification each time a task is
completed successfully.
G. Task Failed: The appliance sends an email notification each time the execution of a
task fails.
H. Task Rescheduled: The appliance sends an email notification each time a task is
being rescheduled.
I. Notifications sent to: For each operation, select whether the Approver, Submitter,
or Both are notified when the operation occurs. The default value is Both for all
operations.
3. Optional. Add extensible attribute data for easier searching in the database by
attribute.
Testing
We test the configuration of the limited-access permissions by logging in as the test user and performing
the addition of a DNS Host. Take a look at the screen shots below to validate the IPAM Tasks template,
group permissions, user and approval workflow configurations were correctly done, and also how the
approval screens present information to the approving user groups.
By following the steps in this document you can create a limited-access permissions group that requires
approvals for adding DNS or DHCP data via the Tasks sub-menu located in the Dashboards area of the
GUI.
Download