Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Domains Overview

In Junos Space Network Management Platform, a domain is a logical mapping of objects, such as devices, device templates, and CLI Configlets, to users who access and manage the network by using these objects. Junos Space Platform allows a hierarchal structure for domains. The top-level domain is called the Global domain. You can create a hierarchy of up to five levels of subdomains under the Global domain, with each subdomain associated with only one parent domain. You can use these subdomains to create easily manageable sections of your network. When you assign objects and users to these subdomains, users can manage these objects partially or completely based on the roles assigned to them. Objects created in a domain are assigned to the same domain.

Using Junos Space Platform, you can create objects with the same name across domains; however, domains at the same hierarchy level cannot share the same name. The domain association is displayed in fully qualified domain name (FQDN) format in the Domain column of all workspaces.

You can create the following objects with the same name across domains:

  • Templates and template definitions

  • CLI Configlets, configuration views, XPath, regular expressions, and configuration filters

  • Report definitions

  • Images, script bundles, and operations

Users can be assigned to multiple domains. Objects are assigned to the domain to which the user is logged in currently. Junos Space Platform lets you assign multiple objects from the same workspace to a domain simultaneously. The domain to which an object is assigned is displayed in the Domain column on the inventory page of the workspace. This is displayed as an absolute path.

The default Super Administrator “super”’ has full permissions to all subdomains. You need not manually assign new subdomains to this Super Administrator. You need to assign the Global domain to all users who are added to the Junos Space Platform database with the Super Administrator role.

You cannot delete the Global domain from Junos Space Platform. Junos Space Platform also does not allow you to delete a domain if subdomains are associated with that domain.

You can view predefined objects in a Junos Space Platform or Junos Space application workspace in addition to the objects that are assigned to the domain in which you are currently operating. To access workspaces on a Junos Space application that is installed on Junos Space Platform, the workspaces must be domain aware. Only domain-aware workspaces of an application can be accessed from the subdomains. When you switch between domains, you could lose access to workspaces if the application is not domain aware.

Note:

If you access the Junos Space Platform UI in two tabs of the same browser with two different domains selected and access the same page in both tabs, the information displayed on the page is based on the latest domain selected. To view pages that are accessible only in the Global domain, ensure that you are in the Global domain in the most recent tab in which you are accessing the UI.

The following sections explain the rules to access objects across domains and how device partitions are used to manage subdomains:

Accessing Objects In and Across Domains

Junos Space Platform allows you to access objects across domains based on the roles you are assigned and the domains you are assigned to.

The following rules apply while accessing objects across domains in Junos Space Platform:

  • Objects can be assigned to only one domain.

  • Objects can be moved from one domain to another.

  • Objects across domains can share the same name.

  • You can view objects from the parent domain only in read-only mode and only if the parent domain allows its objects to be viewed by its subdomains.

  • You can view and execute tasks on objects in a subdomain if the object is provided with appropriate permissions.

  • You cannot modify or delete objects in a parent domain if you have read-only access, even if you have the necessary permissions to modify those objects.

  • You can view and perform actions only on the objects assigned to the domain to which you are currently logged in. You can view objects from other accessible domains if the "Manage objects from all assigned domains” flag is set as a user preference. To set this flag, click the User Settings icon on the Junos Space banner.

  • If you have read/write privileges to objects in a subdomain, you can perform read/write operations on the objects in the subdomain even if the subdomain is not explicitly assigned to you.

  • If you have read-only privileges to objects in a subdomain, you can perform only read operations on the objects in the subdomain.

  • If you have read-only access to objects in the parent domain, you cannot perform write operations even if you have read/write privileges on these objects by virtue of the roles assigned to you.

  • If you do not have read-only access to objects in the parent domain, the objects in the parent domain are not visible to you in the subdomain.

In addition to the default rules to access objects assigned to domains, you can also use the “Allow users of this domain to have read and execute access to parent domain objects” flag to provide read permissions to all users in the domain when you create a domain. This flag provides both read and execute access to the objects in the parent domain.

If you use this flag, you can access the following objects that have read and execute permissions:

  • Device templates and template definitions

  • CLI Configlets, configuration views, configuration filters, XPath, and regular expressions

  • Images, scripts, operations, and script bundles

  • Report definitions

Device Partitions

Use device partitions to share physical interfaces, logical interfaces, and physical inventory of devices among multiple subdomains. Device partitions are supported only on M Series and MX Series routers.

Consider the following restrictions when working with device partitions:

  • You can assign only one partition of a device to a subdomain; you cannot assign multiple partitions of the same device to a subdomain.

  • You can assign one partition each from multiple devices to a subdomain.

  • You can partition a device only if the device is currently assigned to the Global domain.

  • To assign a partition to a subdomain, the root device should be part of the Global domain.

For example, consider device D1 with partitions P1, P2, and P3; device D2 with partitions P1a and P2a; and Global, dom1, and dom2 to be the available domains in Junos Space. The following assignments of partitions are valid:

  • P1 to dom1

  • P1a to dom1

  • P2 to dom2

  • P2a to dom2

  • P3 to Global (default)

The following assignments are invalid: P1 and P2 to dom1 or P1a and P2a to dom2.

To assign a partition to a subdomain, the root device must be part of the Global domain.

Table 1 lists the actions that you can or cannot perform on a device partition:

Table 1: Tasks Supported on Device Partitions

Task Group

Task Name

Device Partition Support

Notes

Device Configuration

Review/Deploy Configuration

No

View/Edit Configuration

No

View Active Configuration

Yes

Configuration details are not filtered on the basis of the partitioning.

Resolve Out-of-band Changes

No

View/Assign Shared Objects

No

View Configuration Change Log

Yes

Configuration details are not filtered on the basis of the partitioning.

View Template Deployment

No

View/Edit Unmanaged Device Configuration

No

Device Inventory

Export Physical Inventory

No

View Associated Scripts

Yes

View License Inventory

No

View Logical Interfaces

Yes

View Physical Interfaces

Yes

View Physical Inventories

Yes

View Script Execution

Yes

View Inventory Change

Yes

View Software Inventory

No

Device Operations

Create LSYS

No

LSYS should be managed only on the root device.

Delete Devices

No

You cannot delete a device partition from the subdomain.

Looking Glass

No

Put in RMA State

No

This action can be performed only on the root device.

Reactivate from RMA

No

This action can be performed only on the root device.

Synchronize with Network

No

This action can be performed only on the root device.

Execute Script

Yes

Apply CLI Configlet

Yes

Device Access

Modify Authentication

No

This action can be performed only on the root device.

Launch Device WebUI

No

This action can be performed only on the root device.

SSH to Device

No

This action can be performed only on the root device.

Resolve Key Conflict

No

This action can be performed only on the root device.

Managed Customized Attribute

No

Delete Private Tags

No

Tag It

No

Un Tag It

No

View Tags

No

Filter by CSV

Yes

Clear All Selection

Yes

You can assign device partitions to a domain or move the device partition from one domain to another. To assign a device partition to a domain or move a device partition from one domain to another, right-click the device partition and select Assign Partition to Domain.

You can assign devices to a domain. To do so, right-click the device and select the Assign Device to Domain task. You cannot move devices with partitions to a subdomain. If you do so, the Assign Device to Domain job fails.

Assignment of Objects to Domains

Objects in Junos Space Platform workspaces are assigned to at least one of the available domains.

The following rules apply while managing objects in the various workspaces:

  • Templates—Templates and template definitions are created in the domain that you are currently operating in. When you create a template, you can select a template definition from the same domain or a parent domain if you have access to the parent domain. You can deploy templates on devices if they are in the same domain or if devices belong to other accessible domains and the “Manage objects from all assigned domains” flag is set as a user preference. To set this flag, click the User Settings icon on the Junos Space banner. Also, you can deploy templates that are inherited from the parent domain to the devices in the accessible domains.

  • CLI Configlets—CLI Configlets are assigned to the domain that you are currently operating in. You can apply CLI Configlets to devices if they belong to the same domain or if the devices belong to other accessible domains and the “Manage objects from all assigned domains” flag is set as a user preference. You can assign and deploy CLI Configlets that are inherited from the parent domain to the devices in the current domain.

  • Images and Scripts—Images and scripts are assigned to the domain that you are currently operating in. You can stage, deploy, or perform any action on images and scripts for only those devices that belong to the same domain or if the devices belong to other accessible domains and the “Manage objects from all assigned domains” flag is set as a user preference. You can also inherit images and scripts from the parent domain and perform some actions such as staging on devices in the current domain and other accessible domains.

  • Configuration Files—Configuration files are created in the domain to which the device is currently assigned. If a device is moved from one domain to another, configuration files are also automatically moved to the respective domain. This workspace does not display objects inherited from the parent domain if the “Manage objects from all assigned domains” flag is set as a user preference.

  • Jobs—Jobs are associated with the domain from which you initiate jobs. You can view jobs from other domains that are assigned to you if the “Manage objects from all assigned domains” flag is set as a user preference.

  • Audit Logs—Audit logs are generated in the domain from which the user initiated the actions. You can view audit logs from other domains that are assigned to you if the “Manage objects from all assigned domains” flag is set as a user preference.

  • Role Based Access Control—The Roles page is not available in the subdomains. You can create users only when you are logged in to the Global domain. You can assign users to a domain when or after you create user accounts.

  • Administration—You can access the complete Administration workspace only if you are logged in to the Global domain.

  • Reports—Report definitions are assigned to the domain in which they are created. You can generate reports by using the definition in the inherited domain or the current domain.

Note:

Global search displays objects that match the search query from the current domain, child domains, and parent domain (if the user has read-only access to the parent domain). If an object in the search results is in a different domain than the one the user is currently in, the hyperlink to the object in the search results is disabled.