How to limit Admin to use other user's secret?

[alicechiou]

Hi Team,
We created a job that allows users to choose their own secret to connect to a network device and then make some configuration changes.
But we found one question here, if the user who has admin access, he can use everyone's secret connect to the devices, that is very dangerous.
Even we tried to set the permission for restricting the admin user only can use their own secret, that doesn't work.
Do you have any suggestions for restricting admin users to only use their own secrets?
Thanks.

[jdrew82]

It sounds like you should most likely have another group for 'admin" users that has restricted permissions. In the world of Nautobot an "admin" user is essentially equivalent to root or a superuser user on Linux systems so is given unrestricted access to everything.

[alicechiou]

Is it possible we can have another group they are not "admin" but they have permission to set object permission to other user?
Seems we also can't limit admin to execute the job.

[nkallergis]

What is the actual problem that you're trying to solve? Asking because the path you're taking seems more and more like a rabbit hole...

[jdrew82]

@alicechiou yes, you'd simply give that group the users.add_permission or users.change_permission permissions.

[alicechiou]

Hi @jdrew82 , thanks for the reply,
We create another group with the STAFF role and grant the group users.add_permission or users.change_permission permissions.
But I have another permissions issue here, if I want to restrict users to only the secrets they create, how do I set the constraints? It seems that the secret object does not have a "created_by" field.

https://private-user-images.githubusercontent.com/39262687/329102291-85fb9c4d-41eb-4dfd-bb9f-339b0a340031.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTUzMDMxMDEsIm5iZiI6MTcxNTMwMjgwMSwicGF0aCI6Ii8zOTI2MjY4Ny8zMjkxMDIyOTEtODVmYjljNGQtNDFlYi00ZGZkLWJiOWYtMzM5YjBhMzQwMDMxLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA1MTAlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNTEwVDAxMDAwMVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTAwOGJhMzQ4YWRmYWMxZjM0N2VhNjg3ZmFkNWIyNDYzNTg0YjA3NDAzYWQxM2QwZmQ1MTE2NWY2N2FmM2IyNmImWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.sp3LYiz-UzSWy7FLotGm-JRZV4ZGo1GCZxQV7iYbmSI

[alicechiou]

Hi @jdrew82 , thanks for the reply,
We create another group with the STAFF role and grant the group users.add_permission or users.change_permission permissions.
But I have another permissions issue here, if I want to restrict users to only the secrets they create, how do I set the constraints? It seems that the secret object does not have a "created_by" field.