Access control in Micetro is role-based. Users and groups do not have direct access to objects (servers, zones, scopes, IP addresses, etc.) unless they are assigned to roles. Roles are configured with permissions, which allow access to specific objects in the system, e.g., DNS zones, DHCP servers, appliances, etc.
Administrators can control a user or group’s access by assigning or removing them from roles.
A set of built-in roles is available that should cover most use cases. These are General roles, which are applied to all objects (present and future) in Micetro. Specific roles exist for use cases where per-object permissions are required.
Roles, users, and groups
The following rules define the relationships between groups, users, and roles:
- Users and groups can be assigned to roles.
- Groups can contain users.
- Groups cannot contain groups.
- Users from externally managed groups, such as Active Directory, cannot be added to local groups.
- Users and groups can be assigned to any number of roles.
For more information about roles, users, groups, and permissions, and instructions on how to manage them, refer to the following:
- Roles
- General roles
- Specific roles
- Legacy roles
- Permissions
- Blocking permissions
- Users
- Groups
- Effective access
To troubleshoot access control issues or to check the effective access of a user or group to a specific object, refer to Effective access.
Because Micetro’s access controls are role-based, permissions are configured on the role, and propagated to any user or group attached to the role. If needed, you can grant restricted access on a per-object basis. For more information, refer to Specific roles.
The "administrator" user
The built-in, local "administrator" user exists outside of regular access controls. All permissions are enabled for this user (even if not attached to any role) and its permissions cannot be edited or overriden by any role. Refer to Blocking permissions.
The password for the "administrator" user is configured when the administrator logs in for the first time.
The "administrator" user cannot be removed from Micetro, and is always local, i.e., cannot be authenticated by single sign-on (SSO).
Failed login attempts
To protect users from brute force password attacks, Micetro throttles unsuccessful login attempts.
New objects
When a user imports or creates a new object (such as a DNS zone, record, DHCP scope, or address range) in Micetro, the object is configured for a certain default access based on the permissions for the object type. General roles configured with permissions for the object type will have automatic access to the object.
For instructions on managing object access, refer to Object access.