netbox-community-netbox/docs/administration/permissions.md

# Permissions

NetBox v2.9 introduced a new object-based permissions framework, which replaces Django's built-in permissions model. Object-based permissions enable an administrator to grant users or groups the ability to perform an action on arbitrary subsets of objects in NetBox, rather than all objects of a certain type. For example, it is possible to grant a user permission to view only sites within a particular region, or to modify only VLANs with a numeric ID within a certain range.

{!models/users/objectpermission.md!}

### Example Constraint Definitions

| Constraints | Description |
| ----------- | ----------- |
| `{"status": "active"}` | Status is active |
| `{"status__in": ["planned", "reserved"]}` | Status is active **OR** reserved |
| `{"status": "active", "role": "testing"}` | Status is active **AND** role is testing |
| `{"name__startswith": "Foo"}` | Name starts with "Foo" (case-sensitive) |
| `{"name__iendswith": "bar"}` | Name ends with "bar" (case-insensitive) |
| `{"vid__gte": 100, "vid__lt": 200}` | VLAN ID is greater than or equal to 100 **AND** less than 200 |
| `[{"vid__lt": 200}, {"status": "reserved"}]` | VLAN ID is less than 200 **OR** status is reserved |

## Permissions Enforcement

### Viewing Objects

Object-based permissions work by filtering the database query generated by a user's request to restrict the set of objects returned. When a request is received, NetBox first determines whether the user is authenticated and has been granted to perform the requested action. For example, if the requested URL is `/dcim/devices/`, NetBox will check for the `dcim.view_device` permission. If the user has not been assigned this permission (either directly or via a group assignment), NetBox will return a 403 (forbidden) HTTP response.

If the permission _has_ been granted, NetBox will compile any specified constraints for the model and action. For example, suppose two permissions have been assigned to the user granting view access to the device model, with the following constraints:

```json
[
    {"site__name__in":  ["NYC1", "NYC2"]},
    {"status":  "offline", "tenant__isnull":  true}
]
```

This grants the user access to view any device that is assigned to a site named NYC1 or NYC2, **or** which has a status of "offline" and has no tenant assigned. These constraints are equivalent to the following ORM query:

```no-highlight
Site.objects.filter(
    Q(site__name__in=['NYC1', 'NYC2']),
    Q(status='active', tenant__isnull=True)
)
```

### Creating and Modifying Objects

The same sort of logic is in play when a user attempts to create or modify an object in NetBox, with a twist. Once validation has completed, NetBox starts an atomic database transaction to facilitate the change, and the object is created or saved normally. Next, still within the transaction, NetBox issues a second query to retrieve the newly created/updated object, filtering the restricted queryset with the object's primary key. If this query fails to return the object, NetBox knows that the new revision does not match the constraints imposed by the permission. The transaction is then rolled back, leaving the database in its original state prior to the change, and the user is informed of the violation.
Drafted documentation for object-based permissions 2020-06-01 15:28:36 -04:00			`# Permissions`

Changelog & initial docs for #7649 2021-11-02 11:49:10 -04:00			`NetBox v2.9 introduced a new object-based permissions framework, which replaces Django's built-in permissions model. Object-based permissions enable an administrator to grant users or groups the ability to perform an action on arbitrary subsets of objects in NetBox, rather than all objects of a certain type. For example, it is possible to grant a user permission to view only sites within a particular region, or to modify only VLANs with a numeric ID within a certain range.`
Drafted documentation for object-based permissions 2020-06-01 15:28:36 -04:00
Clean up documentation build warnings 2021-09-15 11:46:58 -04:00			`{!models/users/objectpermission.md!}`
Drafted documentation for object-based permissions 2020-06-01 15:28:36 -04:00
Update permissions documentation 2020-06-03 10:00:58 -04:00			`### Example Constraint Definitions`
Drafted documentation for object-based permissions 2020-06-01 15:28:36 -04:00
Extend ObjectPermission constraints to OR multiple JSON objects 2020-08-06 15:53:23 -04:00			`\| Constraints \| Description \|`
			`\| ----------- \| ----------- \|`
			\| `{"status": "active"}` \| Status is active \|
			\| `{"status__in": ["planned", "reserved"]}` \| Status is active OR reserved \|
Fixes #6099: Correct example permission description 2021-04-07 15:50:24 -04:00			\| `{"status": "active", "role": "testing"}` \| Status is active AND role is testing \|
Extend ObjectPermission constraints to OR multiple JSON objects 2020-08-06 15:53:23 -04:00			\| `{"name__startswith": "Foo"}` \| Name starts with "Foo" (case-sensitive) \|
			\| `{"name__iendswith": "bar"}` \| Name ends with "bar" (case-insensitive) \|
			\| `{"vid__gte": 100, "vid__lt": 200}` \| VLAN ID is greater than or equal to 100 AND less than 200 \|
			\| `[{"vid__lt": 200}, {"status": "reserved"}]` \| VLAN ID is less than 200 OR status is reserved \|
Drafted documentation for object-based permissions 2020-06-01 15:28:36 -04:00
			`## Permissions Enforcement`

			`### Viewing Objects`

			Object-based permissions work by filtering the database query generated by a user's request to restrict the set of objects returned. When a request is received, NetBox first determines whether the user is authenticated and has been granted to perform the requested action. For example, if the requested URL is `/dcim/devices/`, NetBox will check for the `dcim.view_device` permission. If the user has not been assigned this permission (either directly or via a group assignment), NetBox will return a 403 (forbidden) HTTP response.

Refreshed admin docs 2020-08-03 11:42:24 -04:00			`If the permission _has_ been granted, NetBox will compile any specified constraints for the model and action. For example, suppose two permissions have been assigned to the user granting view access to the device model, with the following constraints:`
Drafted documentation for object-based permissions 2020-06-01 15:28:36 -04:00
			```json
			`[`
			`{"site__name__in": ["NYC1", "NYC2"]},`
			`{"status": "offline", "tenant__isnull": true}`
			`]`
			```

Refreshed admin docs 2020-08-03 11:42:24 -04:00			`This grants the user access to view any device that is assigned to a site named NYC1 or NYC2, or which has a status of "offline" and has no tenant assigned. These constraints are equivalent to the following ORM query:`
Drafted documentation for object-based permissions 2020-06-01 15:28:36 -04:00
			```no-highlight
			`Site.objects.filter(`
			`Q(site__name__in=['NYC1', 'NYC2']),`
			`Q(status='active', tenant__isnull=True)`
			`)`
			```

			`### Creating and Modifying Objects`

Refreshed admin docs 2020-08-03 11:42:24 -04:00			The same sort of logic is in play when a user attempts to create or modify an object in NetBox, with a twist. Once validation has completed, NetBox starts an atomic database transaction to facilitate the change, and the object is created or saved normally. Next, still within the transaction, NetBox issues a second query to retrieve the newly created/updated object, filtering the restricted queryset with the object's primary key. If this query fails to return the object, NetBox knows that the new revision does not match the constraints imposed by the permission. The transaction is then rolled back, leaving the database in its original state prior to the change, and the user is informed of the violation.