User to have read permission but edit/delete permission on objects they created

[the-c0d3r]

Hi, I am exploring netbox to be used for my company network infrastructure. I am looking for a way to let user have read permission by default on the devices, and able to add new device.

How do I make the permissions so that only users who created that device, or is the tenant, or is the contact person can be allowed to change or delete the device?

I thought this permission model should be very common, but I cannot find a way to do that using netbox constraints.

Docs on usertoken mentioned about the created_by field, but it seem to only apply to journal entries.

[candlerb]

The permissions model is not that flexible, but in generaI think it would be a bad idea to allow a device to be edited only by the person who created it: in most organizations people work in teams, and if person A is unavailable then person B should be able to do their job.

The closest you can get today is with tags: you could have a tag for each team. But even then, it's hard to enforce that every object created by a user must contain the tag for their own team.

[the-c0d3r]

My permission model is based on the tenants, and tenants can have full RW permission on the objects they are assigned to. What I wanted to do was that, they will also have read access on other stuff at the same site, and also can help add in objects. But they won't have the rights to modify or delete those created by users from other tenants, and only able to delete their own.

This means, Tenant group A has direct ownership on all the objects assigned to it, but only add and delete their own for other objects assigned to Tenant group B. My organisation is a bit small, so we cannot make the process to wait for certain people. We need to be able to help out and add certain things even though you may not be the one assigned for this role.

Please enlighten me if this approach is not workable.

[jeremystretch]

I thought this permission model should be very common

It's not, and for good reason as @candlerb points out above. I would urge you to seriously reconsider your intended permissions arrangement. NetBox supports custom validation rules that can be used to enforce arbitrary conditions when creating or editing an object, without sacrificing the flexibility afforded by its object-based permissions system.

[candlerb]

NetBox supports custom validation rules that can be used to enforce arbitrary conditions when creating or editing an object, without sacrificing the flexibility afforded by its object-based permissions system.

Although I don't think custom validators get the request context, so you can't vary the validation based on the person making the request.

[jeremystretch]

Correct, although coincidentally we're working on implementing that in #14279 for NetBox v4.0.