How to set Multi Tenant Access to objects programmatically?

[LukasIgel]

Hello everyone,

I would like to setup permissions and constraints in a way, so that multiple users can have acces to a possibly overlapping number of objects, M:N if you will. At the same time, I don't want to manually set constraints for each user. I would like to click on an object visually and assign users / usergroups which have access to it.

I've tried using tenants, but I don't see how to use them properly. You can assign only one tenant to a typical object, so those cannot represent users or user groups to implement m:n relations.

I also tried using contact assignments, because you can assign multiple contact assignments to the same object - site for example. But I don't know how to set up a generic permission for that. I try formulating it in plain speech, maybe someone can help me translating it into constraints:

"Permission: Gain access to all ressources (or more specifically all IP Prefix objects), whose assigned site has a contact assignment which represents the user (maybe user_slug==contact_slug)"

EDIT: Sounds like the permission system is not powerful enough for this to work. Also: $user does not seem to work in general. I've tried using the example from the documentation { "created_by": "$user" }

[candlerb]

I would like to click on an object visually and assign users / usergroups which have access to it.

I guess you could do this with tags.

You would create a separate permission corresponding to each tag, and then assign that permission to a group, and assign users to that group.

To grant access to an object, you'd add the appropriate tag to that object.

You'd clearly not want to grant modify access to the tags themselves, nor to which tags are set on an object.

[LukasIgel]

Thanks for the reply. If I understand this correctly, it would mean that I create a tag for each user (/ usergroup) and then assign them to objects? And then I would create a generic permission "gain access to all objects, which are assigned the tag==username"?

EDIT: I have read that you can access the current user in constraints via $USER, even though I don't know what exact value is assigned to it, maybe the user ID?

[candlerb]

And then I would create a generic permission "gain access to all objects, which are assigned the tag==username"?

I was thinking more "gain access to all objects, which are assigned the tag foo", then assign that permission to group Foo. Create a new permission for each group.

I didn't think about $user, and maybe that would work.

However, in general I think it makes more sense to assign AAA rights to groups rather than users. (If another user comes along from the same org who needs the same permissions, you don't want to have to duplicate all the permissions)

[LukasIgel]

Yeah, working with groups instead of individual users is the way to go. I was hoping that I could avoid static references like "gain access to all objects, which are assigned the tag foo" because then I would not need to create a permission for every single tag. That's why I am wondering about working with "generic" permissions

[candlerb]

Unlike custom validators, where you can write arbitrary python code, I don't think Netbox has the equivalent for permissions.

[LukasIgel]

I have also tried creating a custom field on the objects I want to manage: I've called it "User Access" and I want to fill it with a list of users.

Is it possible to write a generic permission saying "gain access to all (IP Prefix) objects, where the "User Access" field contains the current user?

[LukasIgel]

I've tried something like
{"custom_field_data__User_Access__include": $user}

but that's not valid JSON. Any idea?

[candlerb]

You need to quote $user. See the example at https://docs.netbox.dev/en/stable/administration/permissions/#user-token

[LukasIgel]

thanks, now it get's accepted syntactically. Do you have any experience using constraints in custom fields? Or maybe how to say "at least one element has to have the value X"? I see that there are some modifiers for constraints like "__in", "__gte", etc and was hoping for something like MyList.includes(ListElement)

[candlerb]

I'm afraid it's very basic, and not as powerful as you want it to be.

[LukasIgel]

Alright, thank you though for all your answers!