Support negative permissions constraints

[llamafilm]

NetBox version

v4.4.6

Feature type

New functionality

Proposed functionality

I'd like to create permissions constraints with negations. The constraint JSON syntax would use the same lookup expressions which are already supported in the REST API, for example {"vrf_id__n": null}.

Use case

I've built a few automations to pull in data from external sources into Netbox. I don't want users to edit those objects because any changes may break the automation. One example is: Prefixes in the global VRF are imported from BloxOne DDI, so users should not be able to edit them. We have a number of air-gapped networks, which each use overlapping 192.168 address space. Each of those is modeled as a separate VRF in Netbox, and users should be able to manipulate those Prefixes freely. So I would like to create 2 separate permissions for Prefix editing, one with {"vrf_id": null} and the other with {"vrf_id__n": null}

Database changes

No response

External dependencies

No response

[jnovinger]

Seems to be essentially the same request as #4949, which was closed as stale while under review. At the very least, we'd need to figure out if this is any more feasible now than it was in the past.

FWIW, the __n convention is a NetBox filterset convention. It is not something that is available at the ORM query construction level, like conventional Django ORM filters/lookups. That technical hurdle will need to be addressed if this is to move forward, since permission constraints are based on queryset operations.

@llamafilm, please update your FR with how you propose to achieve this. Otherwise, I don't believe this FR is actionable as it stands.