When creating or editing NS1 account users or teams, you are presented with a list of permission options related to different components of the system. This article explains each of those permission options.
NOTES
Some permissions apply only to the NS1 DDI platform as indicated below.
If a user or API key is assigned to a team, it inherits the team permissions, and all permissions set for the individual user or key are ignored.
The "Manage plan" option is obsolete.
Account admin:
- Manage account settings: allows the user or team to modify account admin contact information and general account settings
- Manage API keys: allows the user or team to view and create API keys in the NS1 portal and modify settings
- Manage IP whitelist: allows the user or team to add or remove IP whitelist records
- Manage payment methods: allows the user or team to view, add, and edit account payment methods
- Manage teams: allows the user or team to create and edit teams
- Manage users: allows the user or team to create and edit other users
- View activity log: allows the user or team to view the account activity log
- View invoices: allows the user or team to view account billing invoices
Monitoring:
- Manage jobs: allows the user or team to create and modify monitoring jobs
- Manage lists: allows the user or team to create and modify notification lists
- View jobs: allows to user or team to view current monitoring jobs
Data:
- Manage data feeds: allows the user or team to create and modify data feeds
- Manage data sources: allows the user or team to create and modify data sources
- Push to data feeds: allows the user or team to send updates to data feeds
Security:
- Manage global 2fa: allows the user or team to manage two-factor authentication settings for all users associated with the account
- Manage Active Directory 2fa (DDI only): allows the user or team to manage two-factor authentication settings for accounts with the Active Directory SSO integration enabled
- Manage DDNS (DDI only): allows the user or team to create and modify dynamic DNS (DDNS) configuration settings
- Manage Kerberos (DDI only): allows the user or team to manage Kerberos configuration settings
IPAM (DDI only):
- Manage IPAM: allows the user or team to manage IPAM networks & configuration settings
- View IPAM: allows the user or team to view IPAM networks & configuration settings
DHCP (DDI only):
- Manage DHCP: allows the user or team to manage DHCP configuration settings
- View DHCP: allows the user or team to view DHCP configuration settings
Service (DDI only):
- Manage config: allows the user or team to edit DDI service (i.e. container or node) configuration settings
- View config: allows the user or team to view DDI service (i.e. container or node) configuration settings
DNS permissions:
-
Manage Zones: allows the user or team to create and modify DNS zones
-
View Zones: allows the user or team to view existing DNS zones
- Allow by Default: If enabled, the user or team is granted access to all zones by default (except those explicitly listed under "denied zones"). If disabled, the user or team is denied access to all zones by default (except those listed under "allowed zones").
- Allowed zones: List of specific zones to which the user or team is explicitly allowed access. If "Allow by Default" is disabled, this list represents the only zones to which the user or team is granted access.
-
- Records allow: If you specify an "allowed zone," additional options appear in the modal allowing you to indicate specific records to which the user or team should be allowed or denied. Enter the zone and the record's domain name, select the record type, indicate whether or not to include subdomains, and select "Allow." The record appears in the "Records allow" list.
NOTE
When you deny access to all zones by default and then add an allowed zone:
(1) without any record overrides, you maintain access to all records;
(2) if you add an allowed record, then you deny access for all other records within that zone;
(3) if you add a denied record, then you can continue to edit all other records except that one
- Records allow: If you specify an "allowed zone," additional options appear in the modal allowing you to indicate specific records to which the user or team should be allowed or denied. Enter the zone and the record's domain name, select the record type, indicate whether or not to include subdomains, and select "Allow." The record appears in the "Records allow" list.
-
- Denied zones: List of specific zones to which the user or team is explicitly denied access. If "Allow by Default" is enabled, this list represents the only zones to which the user or team is denied access.
- Records deny: If you specify a "denied zone," additional options appear in the modal allowing you to indicate specific records to which the user or team should be allowed or denied. Enter the zone and the record's domain name, select the record type, indicate whether or not to include subdomains, and select "Deny." The record appears in the "Records denied" list.
- Records deny: If you specify a "denied zone," additional options appear in the modal allowing you to indicate specific records to which the user or team should be allowed or denied. Enter the zone and the record's domain name, select the record type, indicate whether or not to include subdomains, and select "Deny." The record appears in the "Records denied" list.
- Allowed zones: List of specific zones to which the user or team is explicitly allowed access. If "Allow by Default" is disabled, this list represents the only zones to which the user or team is granted access.
IPAM tagging (DDI only):
- Allow for Management: Optionally, enter a list of IPAM tags used to grant access for the user or team to specific IPAM objects containing the same tag. Each tag includes a name (required) and a value (optional). If just a name is provided, the user will have access to those objects with the matching name. If both a name and value are provided, select "Has value" and enter the associated value in which case both the tag and value must match in order to grant access.
- Deny Access: Optionally, enter a list of IPAM tags used to deny access for the user or team to specific IPAM objects containing the same tag. Each tag includes a name (required) and a value (optional). If just a name is provided, the user will be denied access to those objects with the matching name. If both a name and value are provided, select "Has value" and enter the associated value in which case the user or team is denied access only to those objects with the same tag and associated value.
DHCP tagging (DDI only):
- Allow for Management: Optionally, enter a list of DHCP tags used to grant access for the user or team to specific DHCP objects containing the same tag. Each tag includes a name (required) and a value (optional). If just a name is provided, the user will have access to those objects with the matching name. If both a name and value are provided, select "Has value" and enter the associated value in which case both the tag and value must match in order to grant access.
- Deny Access: Optionally, enter a list of DHCP tags used to deny access for the user or team to specific DHCP objects containing the same tag. Each tag includes a name (required) and a value (optional). If just a name is provided, the user will be denied access to those objects with the matching name. If both a name and value are provided, select "Has value" and enter the associated value in which case the user or team is denied access only to those objects with the same tag and associated value.