NetBox Toolkit Plugin - Permission Examples¶
This page provides complete step-by-step examples for setting up permissions for the NetBox Toolkit Plugin using NetBox's Object-Based Permission system.
Permission Example¶
Below are the groups that we will be use for the permissions example. Each of these groups will be assigned specific permissions.
- Junior Network Engineers
- Senior Network Engineers
- Network Administrators
Desired User Matrix¶
The desired user capabilities for our example are as follows:
User Role | View Commands | Execute Show | Execute Config | Manage Commands | View Logs | Manage Logs |
---|---|---|---|---|---|---|
Junior Network Engineers | ✅ | ✅ (show only) | ❌ | ❌ | ✅ | ❌ |
Senior Network Engineers | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ |
Network Administrators | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Permission Design¶
Granular Permission Design¶
To achieve the above we need to create reusable permissions that can then be assigned to multiple groups or users.
Here are the permissions we will setup:
Permission | Purpose | Applied to Groups |
---|---|---|
Command Toolkit - View Commands | View command list and details | All groups |
Command Toolkit - Execute Show Commands | Execute show/monitoring commands only | All groups |
Command Toolkit - Execute Config Commands | Execute configuration commands | Senior Engineers, Admins |
Command Toolkit - Manage Commands | Create, edit, delete commands | Admins only |
Command Toolkit - View Command Logs | View execution history | All groups |
Command Toolkit - Manage Command Logs | Manage log entries | Admins only |
Create Groups¶
WE will now create the groups and permission above and assign to users.
Step 1: Create User Groups¶
- Navigate to Admin → Users → Groups
- Click + Add Group to create each of the following groups:
Group 1: Junior Network Engineers¶
- Name:
Junior Network Engineers
- Permissions: Leave empty (we'll use NetBox Permissions)
- Save
Group 2: Senior Network Engineers¶
- Name:
Senior Network Engineers
- Permissions: Leave empty (we'll use NetBox Permissions)
- Save
Group 3: Network Administrators¶
- Name:
Network Administrators
- Permissions: Leave empty (we'll use NetBox Permissions)
- Save
Create Permissions & Assign to Groups¶
Navigate to Admin → Users → Permissions and create the following reusable permissions:
Permission 1: Toolkit - View Commands¶
- Name:
Toolkit - View Commands
- Object Types: Select
Command Toolkit | command
- Actions: Check
view
- Additional Actions: Leave empty
- Groups: Select
Junior Network Engineers
,Senior Network Engineers
,Network Administrators
- Enabled: ✓
- Save
Permission 2: Toolkit - Execute Show Commands¶
- Name:
Toolkit - Execute Show Commands
- Object Types: Select
Command Toolkit | command
- Actions: Leave the checkboxes empty
- Additional Actions: Type
execute_show
- Groups: Select
Junior Network Engineers
,Senior Network Engineers
,Network Administrators
- Enabled: ✓
- Save
Permission 3: Toolkit - Execute Config Commands¶
- Name:
Toolkit - Execute Config Commands
- Object Types: Select
Command Toolkit | command
- Actions: Leave the checkboxes empty
- Additional Actions: Type
execute_config
- Groups: Select
Senior Network Engineers
,Network Administrators
(NOT Junior Engineers) - Enabled: ✓
- Save
Permission 4: Toolkit - Manage Commands¶
- Name:
Toolkit - Manage Commands
- Object Types: Select
Command Toolkit | command
- Actions: Check
add
,change
,delete
- Additional Actions: Leave empty
- Groups: Select
Network Administrators
(ONLY Admins) - Enabled: ✓
- Save
Permission 5: Toolkit - View Command Logs¶
- Name:
Toolkit - View Command Logs
- Object Types: Select
Command Toolkit | command log
- Actions: Check
view
- Additional Actions: Leave empty
- Groups: Select
Junior Network Engineers
,Senior Network Engineers
,Network Administrators
- Enabled: ✓
- Save
Permission 6: Toolkit - Manage Command Logs¶
- Name:
Toolkit - Manage Command Logs
- Object Types: Select
Command Toolkit | command log
- Actions: Check
add
,change
,delete
- Additional Actions: Leave empty
- Groups: Select
Network Administrators
(ONLY Admins) - Enabled: ✓
- Save
Assign Users to Groups¶
- Navigate to Admin → Users → Users
- Click on a user to edit them
- In the Groups section, select the appropriate group(s)
- Save
Advanced Examples with Constraints¶
Example 1: Restricted View and Execute Permissions¶
Scenario: Users can only view and execute the "show version" command specifically.
Permission 1: View Show Version Commands Only¶
Name: "Toolkit - View Show Version Commands Only"
Object Types: Command Toolkit | command
Actions: ✓ view
Additional Actions: (leave empty)
Constraints: {
"command_type": "show",
"name": "Show Version"
}
Groups: Junior Network Engineers
Permission 2: Execute Show Version Commands Only¶
Name: "Toolkit - Execute Show Version Commands Only"
Object Types: Command Toolkit | command
Actions: (leave unchecked)
Additional Actions: execute_show
Constraints: {
"command_type": "show",
"name": "Show Version"
}
Groups: Junior Network Engineers
Result: Users can only see and execute commands that: - Are of type "show" (read-only operations) - Command name is exactly "Show Version"
Example 2: Platform-Specific Permissions¶
Scenario: Network team can only view and execute Cisco platform commands.
Permission 1: View Cisco Commands¶
Name: "Toolkit - View Cisco Commands"
Object Types: Command Toolkit | command
Actions: ✓ view
Constraints: {
"platform__slug__in": ["cisco_ios", "cisco_nxos", "cisco_iosxr"]
}
Groups: Network Team
Permission 2: Execute Cisco Show Commands¶
Name: "Toolkit - Execute Cisco Show Commands"
Object Types: Command Toolkit | command
Additional Actions: execute_show
Constraints: {
"command_type": "show",
"platform__slug__in": ["cisco_ios", "cisco_nxos", "cisco_iosxr"]
}
Groups: Network Team
Example 3: Tag-Based Command Access¶
Scenario: Users can only access commands tagged as "safe" or "monitoring".