Object Hierarchy Constraints in NetBox Permissions #15426

Kani999 · 2024-03-14T08:18:08Z

Kani999
Mar 14, 2024

In NetBox, the ability to set permission constraints is crucial for maintaining access control within the platform. However, there seems to be a limitation when it comes to addressing related objects within these constraints. Specifically, while it's possible to define permissions based on attributes of the object, such as Device tags ({"device__tags__name": "netop"}), extending these permissions to related objects, like Interfaces, poses a challenge. ({"device__tag__name": "netop"} )

Consider the scenario where granting a user permission to edit a Device should inherently grant access to all Interfaces assigned to that device.
Despite the intuitive expectation, attempting to implement this hierarchy constraint leads to errors such as:

Invalid filter for <class 'dcim.models.device_components.Interface'>: Unsupported lookup 'tag' for ForeignKey or join on the field not permitted.

This limitation hinders the effective management of permissions within NetBox, as it restricts the granularity of access control that can be applied.

Therefore, I'm reaching out to the community for insights and examples on how to overcome this limitation and implement object hierarchy constraints effectively. Have you encountered similar challenges in managing permissions within NetBox? Do you have any examples or suggestions for achieving hierarchical permissions, particularly when dealing with related objects like interfaces?

Let's collaborate and share our experiences to enhance the access control capabilities of NetBox.

Answered by candlerb

Mar 14, 2024

Can you clarify exactly what you're trying to do?

On dcim.Interface, it seems you are saying that constraint "device__tags__name" works but "device__tag__name" doesn't work. Isn't that expected? device has an attribute tags but not tag.

# /opt/netbox/venv/bin/python /opt/netbox/netbox/manage.py nbshell
...
>>> d=Device.objects.get(name="gw1")
>>> d.tags
<taggit.managers._TaggableManager object at 0x7f7263f34580>
>>> d.tag
Traceback (most recent call last):
  File "<console>", line 1, in <module>
AttributeError: 'Device' object has no attribute 'tag'

View full answer

candlerb · 2024-03-14T09:40:33Z

candlerb
Mar 14, 2024

Can you clarify exactly what you're trying to do?

On dcim.Interface, it seems you are saying that constraint "device__tags__name" works but "device__tag__name" doesn't work. Isn't that expected? device has an attribute tags but not tag.

# /opt/netbox/venv/bin/python /opt/netbox/netbox/manage.py nbshell
...
>>> d=Device.objects.get(name="gw1")
>>> d.tags
<taggit.managers._TaggableManager object at 0x7f7263f34580>
>>> d.tag
Traceback (most recent call last):
  File "<console>", line 1, in <module>
AttributeError: 'Device' object has no attribute 'tag'

1 reply

Kani999 Mar 14, 2024
Author

Oh god, never mind. I missed that typo completely.
Everything works fine now.

Interface:

[
    {
        "device__role__name": "Server"
    },
    {
        "device__tags__slug": "test"
    }
]

Device:

[
    {
        "role__name": "Server"
    },
    {
        "tags__slug": "test"
    }
]

Now I can access all Devices and their interfaces with the constraints.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Object Hierarchy Constraints in NetBox Permissions #15426

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Object Hierarchy Constraints in NetBox Permissions #15426

Uh oh!

Kani999 Mar 14, 2024

Replies: 1 comment · 1 reply

Uh oh!

candlerb Mar 14, 2024

Uh oh!

Kani999 Mar 14, 2024 Author

Kani999
Mar 14, 2024

Replies: 1 comment 1 reply

candlerb
Mar 14, 2024

Kani999 Mar 14, 2024
Author