Introduce the DEFAULT_PERMISSIONS config parameter

docs/administration/permissions.md

@@ -68,8 +68,13 @@ When defining a permission constraint, administrators may use the special token
 
 The `$user` token can be used only as a constraint value, or as an item within a list of values. It cannot be modified or extended to reference specific user attributes.
 
+### Default Permissions
 
-#### Example Constraint Definitions
+!!! info "This feature was introduced in NetBox v3.6."
+
+While permissions are typically assigned to specific groups and/or users, it is also possible to define a set of default permissions that are applied to _all_ authenticated users. This is done using the [`DEFAULT_PERMISSIONS`](../configuration/security.md#default_permissions) configuration parameter. Note that statically configuring permissions for specific users or groups is **not** supported.
+
+### Example Constraint Definitions
 
 | Constraints | Description |
 | ----------- | ----------- |

docs/configuration/security.md

@@ -90,6 +90,24 @@ CSRF_TRUSTED_ORIGINS = (
 
 ---
 
+## DEFAULT_PERMISSIONS
+
+!!! info "This parameter was introduced in NetBox v3.6."
+
+Default: None
+
+This parameter defines object permissions that are applied automatically to _any_ authenticated user, regardless of what permissions have been defined in the database. For example, to allow all users to create a device role beginning with the word "temp," you could configure the following:
+
+```python
+DEFAULT_PERMISSIONS = {
+    'dcim.add_devicerole': (
+        {'name__startswith': 'temp'},
+    )
+}
+```
+
+---
+
 ## EXEMPT_VIEW_PERMISSIONS
 
 Default: Empty list

netbox/netbox/authentication.py

@@ -76,6 +76,18 @@ class ObjectPermissionMixin:
         """
         Return all permissions granted to the user by an ObjectPermission.
         """
+        # Initialize a dictionary mapping permission names to sets of constraints
+        perms = defaultdict(list)
+
+        # Collect any configured default permissions
+        for perm_name, constraints in settings.DEFAULT_PERMISSIONS.items():
+            constraints = constraints or tuple()
+            if type(constraints) not in (list, tuple):
+                raise ImproperlyConfigured(
+                    f"Constraints for default permission {perm_name} must be defined as a list or tuple."
+                )
+            perms[perm_name].extend(constraints)
+
         # Retrieve all assigned and enabled ObjectPermissions
         object_permissions = ObjectPermission.objects.filter(
             self.get_permission_filter(user_obj),
@@ -83,7 +95,6 @@ class ObjectPermissionMixin:
         ).order_by('id').distinct('id').prefetch_related('object_types')
 
         # Create a dictionary mapping permissions to their constraints
-        perms = defaultdict(list)
         for obj_perm in object_permissions:
             for object_type in obj_perm.object_types.all():
                 for action in obj_perm.actions:

netbox/netbox/settings.py

@@ -99,6 +99,7 @@ DATE_FORMAT = getattr(configuration, 'DATE_FORMAT', 'N j, Y')
 DATETIME_FORMAT = getattr(configuration, 'DATETIME_FORMAT', 'N j, Y g:i a')
 DEBUG = getattr(configuration, 'DEBUG', False)
 DEFAULT_DASHBOARD = getattr(configuration, 'DEFAULT_DASHBOARD', None)
+DEFAULT_PERMISSIONS = getattr(configuration, 'DEFAULT_PERMISSIONS', {})
 DEVELOPER = getattr(configuration, 'DEVELOPER', False)
 DOCS_ROOT = getattr(configuration, 'DOCS_ROOT', os.path.join(os.path.dirname(BASE_DIR), 'docs'))
 EMAIL = getattr(configuration, 'EMAIL', {})