Folks, I am attempting to implement RackTables in a production shared colo/DC environment. One of my goals is to allow customers to look at and modify their own equipment (Objects) and network information. After some serious struggling, I think I have the basics of the RackCode based permissions system down. Here's what I've come up with: # User Specific Permissions allow {$userid_1} allow {Administrators} # Customer Access Permissions # Global Permissions for Customers deny {$tab_tags} deny {$page_ipv4space} and {$tab_manage} deny {$page_rack} and ( {$tab_tags} or {$tab_design} or {$tab_edit} ) deny not {customer admin} and not {$tab_default} allow {$tab_default} and ( {$page_index} or {$page_rackspace} or {$page_ipv4space} or {$page_ipaddress} ) # Customer Specific Permissions allow {Cust1 Users} and {Cust1 Assets} allow {Cust2 Users} and {Cust2 Assets} For this, I have the following tags: Administrative Groups Administrators (4) customer admin (4) customer viewer (2) Assets Cust1 Assets (18) Cust2 Assets (9) Customers Cust1 Users (2) Cust2 Users (4) The users are as follows: Cust1Viewer (customer viewer, Cust1 Users) Cust1Admin (customer admin, Cust1 Users) ... This works as intended in some places, but I've found several places that present problems: 1. While I can allow users to get into $page_ipv4space and $page_ipv4, I cannot allow them into $page_ipaddress because the ownership of a network does not propagate to individual addresses. Allowing access to ANY $page_ipaddress page will allow them to manually change the "ip=" value and edit other customer's addresses (Not a Good Thing (tm)). 2. There is no method by which to force the filters on individual pages (or pull-downs) such that users ONLY see their Objects, racks, etc. associated with a specific tag. This IS handled in a round-about way on $page_rackspace, where racks owned by people other than the user are blacked out, but as we grow the datacenter, that too will become a bit of a needle-in-the-haystack problem. Utilizing the page filters in a forceful way (e.g. administratively turning on a filter for "Cust1 Assets" on pages being access by "Cust1 Users") would work much better and present a cleaner interface for the end user. Ideally this would also be applied to the pull-downs for Objects, interfaces, etc. 3. There's no way (I think) to force a tag on objects created by a user or allow inheritance of permissions in some way. For instance, I'd like to force any Object created by "Cust1 Users" to have the tag "Cust1 Assets" forced on. This would allow the user to create his objects for the equipment he is wanting installed in his cabinet prior to shipping, alleviating my staff from having to do all this manually. The customer can then ship the equipment to us and we already know where it goes, how it's cabled, etc. There are several other things that have cropped up, but these are the major issues that are going to prevent me from fully implementing this package in this environment. Can somebody tell me if there are solutions for any of these problems? The documentation on RackCode is a bit thin :^) so I'm not sure if I'm simply missing some features or if these things literally don't exist. I may try scratching my own itch here, but I gotta tell you it'll take me forever because I haven't written any serious code in over a decade. TIA Don