At IPXO, we understand the importance of ensuring that only authorized personnel have access to certain data within the platform. To address this need, IPXO offers a robust feature that empowers you to create distinct User Roles, thereby restricting specific views and securing sensitive information.

How to use Role-Based Access Control?

Under each tenant, the first user will have a predefined “Owner” role and, therefore, will have access to all platform features, including RPKI, DNS, billing, and more:

Only users with an “Owner” role will be able to create, edit, and delete different roles and assign them to other users. Please note that more than one user can have the “Owner” role.

How to create a user “Role”?

Within the “Settings and Billing” section, the “Owner” can access the “Roles” tab to create distinct roles for other users.

When the “Owner” clicks the “Create” button, a side tab appears, allowing the “Owner” to establish a new “Role”, assign it a name, and determine the specific permissions associated with that role.

“Roles” have permissions for different Application Programming Interfaces (APIs), including Billing, DNS, RPKI, Subnet Quarantine, Geo Updater, and Sales. These permissions define which views in the portal the user will have access to.

It is possible to disable permissions for an API or grant “Read” or “Read & Modify” access. All permissions are initially set to “Disabled”, and the person with the “Owner” role will need to enable them for the “Role”:

After the “Owner” clicks on the “Create” button, the new “Role” will be generated and displayed on the dashboard.

By default, no specific permissions are required to access a user's profile and company information assigned to them. Therefore, even with a restricted role, access to profiles and company information remains available.

Please note that over time, as the Billing API is split into more APIs, additional permission APIs will appear under available permissions.

Billing API permission

The Billing API is the primary permission that grants access to most of the IPXO portal, as it includes the management of leased and monetized subnets. We recommend always enabling this API fully because without it, it will not be possible to manage leased and monetized subnets.

Certain actions across the IPXO portal will be hidden if the user has only “Read” permission for the Billing API.

Marketplace

If “Read” access is enabled, you can use the search feature.

If “Read & Modify” access is enabled, or you have the “Owner” role, then you can:

  • Request custom terms
  • Add subnets to the cart:
  • Submit the Subnet Request Form (requires Sales API permission):
  • Add credit:

My Leased IPs

When only “Read” access is granted, you have the capability to filter and download CSV and PDF files.

If “Read & Modify” access is enabled, or you have the “Owner” role, then you can:

  • Download Letter of Authorization (LoA), Assign subnets, Order a Subnet:
  • Use the “Pay Now” function:
  • Use the “Multi-select” tool and perform actions with it:
  • Revoke ASN, Terminate the subnet, and/or Cancel Termination:
  • Make a Payment:
  • Access to “Subnet Details” is permitted, although specific actions within this section will be restricted to only the “Owner” role:
  • Revoke Assignment:

My Monetized IPs

If only “Read” access is enabled, users will not be able to upload any subnets, and as a result, this tab will remain hidden.

If “Read & Modify” access is enabled, or you have the “Owner” role, then you can:

  • Add subnets for monetizing:
  • Request a termination for leased subnets and terminate subnets which are not leased:
  • Access “Subnet Details” to edit and regenerate the ID. However, please note that specific actions within this section are restricted to users with the “Owner” role.

Account > Waiting list:

  • You will be able to add subnets (requires sales API permission):

Account > Settings > Company:

If “Read & Modify” access is enabled, or you have the “Owner” role, then you can:

  • Add a new company:
  • Edit/Delete a company:
  • Change/Remove a company logo:
  • Update the compliance form:

Marketplace Billing

If “Read & Modify” access is enabled, or you have the “Owner” role, then you can:

  • Pay for Invoices:
  • Add/Update/Delete Payment or Payout Methods:

Please note that changing the payout method requires the Billing API permission.

DNS Management API Permission

The DNS API provides access to DNS management functions within the “My Leased IPs” section. When a user possesses only “Read” permissions for the DNS API, certain actions will be concealed.

If “Read & Modify” access is enabled, or you have the “Owner” role, then you can:

  • Enable PTR Management/NS Management for single or multiple subnets:
  • Update/Disable/Delete/Enable PTR or NS management:
  • View the NS page, Delete, and/or Update:
  • View the PTR page, Delete, and/or Update:

RPKI Management API Permission

The RPKI API facilitates access to RPKI management features within the “My Monetized IPs” section. If a user possesses solely “Read” permissions for the RPKI API, specific actions will be concealed.

If “Read & Modify” access is enabled, or you have the “Owner” role, then you can:

  • Delegate RPKI management to IPXO:
  • Within the “Subnet Issued ROA” tab, you can assign ROAs:
  • Within the “ORG ROA Suggestions” section, if the organization is delegated to IPXO, the actions “Add” and “Remove” will be concealed:

Geo Updater API Permission

The Geo Updater API provides access to the update function within “My Leased IPs” > “GEO Data.” Users can access this page even if they have only “Read” or “Read and Modify” billing permissions enabled. However, the “Update” action will be concealed if a user has “Read” or “Disabled” permissions for the Geo Updater. Additionally, “Read” permission grants access to view the last updated column status.

If “Read & Modify” access is enabled, or you have the “Owner” role, then you can:

  • Update Geo Data:

Subnet Quarantine API Permission

The Subnet Quarantine API provides access to the list of quarantined subnets within “My Monetized IPs.” However, the view of this list will be concealed if the “Owner” has disabled the Subnet Quarantine permission:

Sales API Permission

Sales API grants access to “My Waiting list”. The view will be hidden if the user has disabled Sales API permission.

With this API permission, the user will also be able to request to “Submit Subnet Request Form”:

Users

Only users with the “Owner” role can access/modify the Permissions list page.

Permissions

Only users with the “Owner” role can access/modify the Permissions list page.

Integrations

Only users with the “Owner” role can access/modify the Integrations list page.

Users Page

The Users view displays a comprehensive list of all users and the specific roles assigned to each user.

Please note that it is possible to change the “Role” for each user if needed:

In conclusion, Role-Based Access Control (RBAC) at IPXO is designed to enhance data security and user management. By creating distinct User Roles, you can control access to sensitive information, ensuring that only authorized personnel can view and modify specific data within the platform.

If you have any questions or require further assistance, please don't hesitate to reach out to our dedicated Customer Solutions Team.

Empower your organization with RBAC and fortify your data security with IPXO.