Administrative Permissions for Staff users

Permissions consist of 3 parts, delimited by a pipe (|), these are in order:

  • Category of the permissions

  • Object of the permission in the category

  • Permission on this object

There are 4 kinds of permissions.


The staff user can only see this object, but not change it.


Viewing and altering the object is permitted


The user can add an object of this type.


The user is able to delete objects of this type.


It is highly recommended to not give add, delete, and change permissions for objects in the zonecontrol category to users. These objects can usually be manipulated via the zone-editor. In the administrative interface, Role restrictions are enforced for many of these objects regardless.

admin category

These are permissions related to the administrative web interface.

log entry:

Access permissions for Log Entries of all actions done by users in the administrative interface.

auth category

This category relates to all authentication and authorization.


Access permissions for Users.


Access permissions for Groups.

Permission details

Users with the auth | group | Can change group and auth | user | Can change user permissions and staff status can add users to the groups they themselves already belong to. Groups the staff-user is not a member of, are not shown to them unless they have the superuser permissions.

Only the super-user can:

  • See or give staff status

  • See or give superuser status

  • Edit user permissions

  • Edit Group permissions

Recommended auth permissions for staff-user are:

auth | user | Can change user
auth | group | Can change group

authtoken category

This category is about users’ API tokens.


Access permissions for Tokens.

zonecontrol category

This category has all the objects that are stored inside zone control.


These permissions control the user’s access to the audit logs. Note that audit logs are read-only, whether or not the user has “change” or “delete” permissions.


Permissions for Roles.

scheduled change:

Access to the administrative page for scheduled changes.


Permissions on the Servers objects.

zone comment:

Permissions relating to Zone Comments visible in the administrative interface.

zone version:

Permissions relating to Zone Comments visible in the administrative interface.