Skip to content

Authentication & Permissions

Object-Based Permissions

NetBox boasts a very robust permissions system which extends well beyond the model-based permissions of the underlying Django framework. Assigning permissions in NetBox involves several dimensions:

  • The type(s) of object to which the permission applies
  • The users and/or groups being granted the permissions
  • The action(s) permitted by the permission (e.g. view, add, change, etc.)
  • Any constraints limiting application of the permission to a particular subset of objects

The implementation of constrains is what enables NetBox administrators to assign per-object permissions: Users can be limited to viewing or interacting with arbitrary subsets of objects based on the objects' attributes. For example, you might restrict a particular user to viewing only those prefixes or IP addresses within a particular VRF. Or you might restrict a group to modifying devices within a particular region.

Permission constraints are declared in JSON format when creating a permission, and operate very similarly to Django ORM queries. For instance, here's a constraint that matches reserved VLANs with a VLAN ID between 100 and 199:

[
  {
    "vid__gte": 100,
    "vid__lt": 200
  },
  {
    "status": "reserved"
  }
]

Check out the permissions documentation for more information about permission constraints.

LDAP Authentication

NetBox includes a built-in authentication backend for authenticating users against a remote LDAP server. The installation documentation provides more detail on this capability.

Single Sign-On (SSO)

NetBox integrates with the open source python-social-auth library to provide myriad options for single sign-on (SSO) authentication. These include:

  • Cognito
  • GitHub & GitHub Enterprise
  • GitLab
  • Google
  • Hashicorp Vault
  • Keycloak
  • Microsoft Azure AD
  • Microsoft Graph
  • Okta
  • OIDC

...and many others. It's also possible to build your own custom backends as needed using python-social-auth's base OAuth, OpenID, and SAML classes. You can find some examples of configuring SSO in NetBox' authentication documentation.