starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-11 21:10:29 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

Restrict users permission to run specific scripts #9417

New Issue
Closed
opened 2025-12-29 20:49:31 +01:00 by adam · 8 comments
adam commented 2025-12-29 20:49:31 +01:00
Owner
Copy Link

Originally created by @llamafilm on GitHub (Mar 30, 2024).

NetBox version

v3.7.3

Feature type

Change to existing functionality

Proposed functionality

I would like to apply constraints to running scripts, so that each user can only run specific scripts.

Use case

We are starting to write a number of custom scripts, meant to be run via the WebUI, and want to enforce RBAC to scripts as we do for manual changes to the data (models).

For example, one script provides a customized form to create a new device, making it easier for our operators; this should be runnable by most users. Another script triggers a power cycle of a PDU outlet using an external API; this should be runnable only by admins.

Database changes

unsure

External dependencies

No response

Originally created by @llamafilm on GitHub (Mar 30, 2024). ### NetBox version v3.7.3 ### Feature type Change to existing functionality ### Proposed functionality I would like to apply constraints to running scripts, so that each user can only run specific scripts. ### Use case We are starting to write a number of custom scripts, meant to be run via the WebUI, and want to enforce RBAC to scripts as we do for manual changes to the data (models). For example, one script provides a customized form to create a new device, making it easier for our operators; this should be runnable by most users. Another script triggers a power cycle of a PDU outlet using an external API; this should be runnable only by admins. ### Database changes unsure ### External dependencies _No response_
adam added the type: feature label 2025-12-29 20:49:31 +01:00
adam closed this issue 2025-12-29 20:49:31 +01:00
adam commented 2025-12-29 20:49:31 +01:00
Author
Owner
Copy Link

@jeffgdotorg commented on GitHub (Apr 1, 2024):

Thanks for your feature request. You're on to a good idea but we need some revisions before we'll be able to accept the issue.

Specifically:

  • Please edit the original issue body to provide a more fully fleshed-out response for Use case.
  • Have a look at #12050 as a potential source of ideas and an example of a more appropriately detailed use case.
@jeffgdotorg commented on GitHub (Apr 1, 2024): Thanks for your feature request. You're on to a good idea but we need some revisions before we'll be able to accept the issue. Specifically: - Please edit the original issue body to provide a more fully fleshed-out response for **Use case**. - Have a look at #12050 as a potential source of ideas and an example of a more appropriately detailed use case.
adam commented 2025-12-29 20:49:32 +01:00
Author
Owner
Copy Link

@DanSheps commented on GitHub (Apr 16, 2024):

You can restrict the display of scripts by using permission constraints around scriptmodule/managedfiles. I do this right now.

I don't know if this is strictly needed. I think what is needed is a common framework around scriptmodule/managedfiles or to simply allow performing checks directly on the scrirpt to see if it is allowed to be displayed.

@DanSheps commented on GitHub (Apr 16, 2024): You can restrict the display of scripts by using permission constraints around scriptmodule/managedfiles. I do this right now. I don't know if this is strictly needed. I think what is needed is a common framework around scriptmodule/managedfiles or to simply allow performing checks directly on the scrirpt to see if it is allowed to be displayed.
adam commented 2025-12-29 20:49:32 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (May 15, 2024):

I believe this is directly possible on NetBox v4.0 as scripts are now represents as database objects. @llamafilm could you please confirm and note any changes that may be necessary to support your use case?

@jeremystretch commented on GitHub (May 15, 2024): I believe this is directly possible on NetBox v4.0 as scripts are now represents as database objects. @llamafilm could you please confirm and note any changes that may be necessary to support your use case?
adam commented 2025-12-29 20:49:32 +01:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (May 23, 2024):

This is a reminder that additional information is needed in order to further triage this issue. If the requested details are not provided, the issue will soon be closed automatically.

@github-actions[bot] commented on GitHub (May 23, 2024): This is a reminder that additional information is needed in order to further triage this issue. If the requested details are not provided, the issue will soon be closed automatically.
adam commented 2025-12-29 20:49:32 +01:00
Author
Owner
Copy Link

@ziggekatten commented on GitHub (May 23, 2024):

As an workaround, we have been using permissions on class level in our scripts since 3.x. This is done by adding an variable in the Meta section with a permission name and a small function that validates towards permission model. Only drawback is that user see the script, can press run, but they will get an "not autorized" result back.

@ziggekatten commented on GitHub (May 23, 2024): As an workaround, we have been using permissions on class level in our scripts since 3.x. This is done by adding an variable in the Meta section with a permission name and a small function that validates towards permission model. Only drawback is that user see the script, can press run, but they will get an "not autorized" result back.
adam commented 2025-12-29 20:49:33 +01:00
Author
Owner
Copy Link

@llamafilm commented on GitHub (May 29, 2024):

I will test in v4 as soon as I can, but I’m currently unable to upgrade because of #16218.

@llamafilm commented on GitHub (May 29, 2024): I will test in v4 as soon as I can, but I’m currently unable to upgrade because of #16218.
adam commented 2025-12-29 20:49:33 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (May 29, 2024):

Ok, I'll close this out as having been addressed. Once you're able to upgrade and test, please ask that it be re-opened if you find that what you're attempting to accomplish still is not possible.

@jeremystretch commented on GitHub (May 29, 2024): Ok, I'll close this out as having been addressed. Once you're able to upgrade and test, please ask that it be re-opened if you find that what you're attempting to accomplish still is not possible.
adam commented 2025-12-29 20:49:33 +01:00
Author
Owner
Copy Link

@llamafilm commented on GitHub (Jun 4, 2024):

I tested this in v4 and it looks like it is possible, but quite difficult to setup:

  • Create a permission with actions view & run for object type: Extras > Script and constraint: {"name": "AddDevice"}
  • Create a permission with actions view for object type: Core > Managed File and constraint: {"data_path": "scripts/add_device.py"}

After adding both of those permissions to a new user, he is able to view and run only that one script. So this is working how I want, but too complicated! I hope this can be simplified, so I could just allow a user to run a script, without all the extra details.

@llamafilm commented on GitHub (Jun 4, 2024): I tested this in v4 and it looks like it is possible, but quite difficult to setup: - Create a permission with actions `view` & `run` for object type: `Extras > Script` and constraint: `{"name": "AddDevice"}` - Create a permission with actions `view` for object type: `Core > Managed File` and constraint: `{"data_path": "scripts/add_device.py"}` After adding both of those permissions to a new user, he is able to view and run only that one script. So this is working how I want, but too complicated! I hope this can be simplified, so I could just allow a user to run a script, without all the extra details.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label type: feature
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#9417
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?