The access control is divided up into three layers and revolves around the creation of groups:
Firstly you will need to create users and groups using the admin user defined in the config.php script. The admin user can only be used on the admin pages. Once you are done with the admin functions, you will be required to re-authenticate as one of the newly created users as soon as you access functions on the main index page.
When a customer is created, a group must be assigned to the customer. This will be the customers admin group and all members of this group can create and delete both subnets, ranges, areas and individual IP address records for the customer.
When the subnet is created, the creator will choose a subnet admin group.
The users assigned to the group that has subnet access can only modify individual IP records for that subnet.
Initially I would create three groups, one group that can create customers, one group that can create subnets, areas and ranges, and another group which can only modify individual IP records. Normally in large networks the people that modify IP records are not the same people that administer routers and configure the IP address space.
If a group is set to see only a particular customer, the same group needs to be used for all operations for the customer. The side effect to this is that the users assigned to the group have full access to the customer and can make any changes to the customers data, including creating and deletion of subnets. This is not ideal and will be changed in future.
Groups can be created that prevent certain users from changing an administrator defined number of reserved addresses at the start of a subnet.
Areas of responsibility can be assigned to a group, thus limiting what address space a group can create networks in. The default behavior allows administration anywhere. Care should be taken when using this feature as changing the boundaries at a later stage may orphan some parts of the database and yield data inaccessible.
If a user belongs to multiple groups and one of the groups does not have boundaries defined, then the user is granted all access. Thus boundaries are a sum of all the boundaries the user belongs to.
Bounds are also useful to create users that only have read access to the IPplan information. Select the "Read Only" option when creating a new group.