starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-11 21:10:29 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

Define a configurable set of default permissions #8262

New Issue
Closed
opened 2025-12-29 20:34:27 +01:00 by adam · 1 comment
adam commented 2025-12-29 20:34:27 +01:00
Owner
Copy Link

Originally created by @jeremystretch on GitHub (Jun 28, 2023).

Originally assigned to: @jeremystretch on GitHub.

NetBox version

v3.5.4

Feature type

New functionality

Proposed functionality

Expose a new configuration parameter DEFAULT_PERMISSIONS defining a two-tuple of permission names and constraints. For example:

DEFAULT_PERMISSIONS = (
    ("dcim.delete_site", {"status": "retired"}),
)

The defined permissions and constraints will apply to all authenticated users, obviating the need for an administrator to explicitly assign them. Administrators can define their own DEFAULT_PERMISSIONS to override or extend the default values.

At some point in the future, this might replace the need for the EXEMPT_VIEW_PERMISSIONS configuration parameter, however its deprecation is not implied by this proposal.

Use case

There are two specific use cases driving this proposal.

API Tokens

NetBox currently allows every user to manage their own API tokens via the web user interface, regardless of permissions assigned. There have been requests to restrict this ability, however to date no specific solution has been proposed.

This FR would unlock the ability to restrict token creation by setting the following default permissions:

DEFAULT_PERMISSIONS = (
    ("users.add_token", {"user": "$user"}),
    ("users.change_token", {"user": "$user"}),
    ("users.delete_token", {"user": "$user"}),
)

These default permissions would grant the ability to each user to create, edit, and delete their own tokens, obviating the need for unique logic effecting this in the UI views. Administrators who wish to restrict this ability can override the DEFAULT_PERMISSIONS configuration parameter to remove these permissions.

Bookmarks

#8248 proposes the ability for users to bookmark arbitrary objects in NetBox for their convenience (similar to how a web browser allows it user to bookmark web pages). As bookmarks are only ever relevant to the user who owns them, it seems reasonable to grant all users permission to bookmark objects by default. Similar to API tokens, this could be done by declaring default permissions to this effect, which can be overridden by a local administrator if needed.

Database changes

None

External dependencies

None

Originally created by @jeremystretch on GitHub (Jun 28, 2023). Originally assigned to: @jeremystretch on GitHub. ### NetBox version v3.5.4 ### Feature type New functionality ### Proposed functionality Expose a new configuration parameter `DEFAULT_PERMISSIONS` defining a two-tuple of permission names and [constraints](https://docs.netbox.dev/en/stable/administration/permissions/#constraints). For example: ```python DEFAULT_PERMISSIONS = ( ("dcim.delete_site", {"status": "retired"}), ) ``` The defined permissions and constraints will apply to all authenticated users, obviating the need for an administrator to explicitly assign them. Administrators can define their own `DEFAULT_PERMISSIONS` to override or extend the default values. At some point in the future, this _might_ replace the need for the [`EXEMPT_VIEW_PERMISSIONS`](https://docs.netbox.dev/en/stable/configuration/security/#exempt_view_permissions) configuration parameter, however its deprecation is not implied by this proposal. ### Use case There are two specific use cases driving this proposal. ### API Tokens NetBox currently [allows every user to manage their own API tokens](https://docs.netbox.dev/en/stable/integrations/rest-api/#tokens) via the web user interface, regardless of permissions assigned. There have been requests to restrict this ability, however to date no specific solution has been proposed. This FR would unlock the ability to restrict token creation by setting the following default permissions: ```python DEFAULT_PERMISSIONS = ( ("users.add_token", {"user": "$user"}), ("users.change_token", {"user": "$user"}), ("users.delete_token", {"user": "$user"}), ) ``` These default permissions would grant the ability to each user to create, edit, and delete their own tokens, obviating the need for unique logic effecting this in the UI views. Administrators who wish to restrict this ability can override the `DEFAULT_PERMISSIONS` configuration parameter to remove these permissions. ### Bookmarks #8248 proposes the ability for users to bookmark arbitrary objects in NetBox for their convenience (similar to how a web browser allows it user to bookmark web pages). As bookmarks are only ever relevant to the user who owns them, it seems reasonable to grant all users permission to bookmark objects by default. Similar to API tokens, this could be done by declaring default permissions to this effect, which can be overridden by a local administrator if needed. ### Database changes None ### External dependencies None
adam added the status: acceptedtype: feature labels 2025-12-29 20:34:27 +01:00
adam closed this issue 2025-12-29 20:34:27 +01:00
adam commented 2025-12-29 20:34:28 +01:00
Author
Owner
Copy Link

@ITJamie commented on GitHub (Jun 28, 2023):

one possible permission addition on this. the ability to "view" tokens.
so that users with view permission could be allowed view their existing tokens but users without it would not be able to see their token strings in full

if a user doesn't have the "view" they wouldn't be able to see their token strings in full (maybe allow the first few or last few characters)

@ITJamie commented on GitHub (Jun 28, 2023): one possible permission addition on this. the ability to "view" tokens. so that users with view permission could be allowed view their existing tokens but users without it would not be able to see their token strings in full if a user doesn't have the "view" they wouldn't be able to see their token strings in full (maybe allow the first few or last few characters)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label status: accepted type: feature
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#8262
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?