Database: PostgreSQL/MySQL
Operating System: Ubuntu 24.04.1 LTS
Frontend Browser: Chrome & Firefox

Starting from version 7.0, intermediate tables were introduced to improve the performance of permissions calculations. These tables are managed by the Zabbix server, and the frontend only reads this data.

1. Is the Zabbix server running on your system?
2. Please also provide the output of these SQL queries, substituting the name of one of the users experiencing this issue. The first SQL query returns host permissions based on the configuration, and the second one retrieves them from the intermediate tables. The outputs should be identical.

select hg.hostid, max(r.permission) as permission from hosts_groups hg, rights r, users_groups ug, users u where hg.groupid = r.id and r.groupid = ug.usrgrpid and ug.userid = u.userid and u.username = '<username>' group by hg.hostid having min(r.permission)>0

select hhg.hostid, p.permission from users u, user_ugset uug, permission p, host_hgset hhg where u.userid = uug.userid and uug.ugsetid = p.ugsetid and p.hgsetid = hhg.hgsetid and u.username = '<username>' order by u.userid, hhg.hostid

UPD: Apologies for the incorrect information. The intermediate tables are updated both on the server side and on the API/frontend side. The first question is retracted.

It seems I have reproduced this issue on latest 7.0.8:

1. Create a new database and log in as the "Admin" user.
2. Create a new user with administrator rights and assign them to the "Zabbix administrators" user group.
3. Grant the "Zabbix administrators" RW permissions for the "Templates/Applications" template group.
4. Go to the Data collection -> Templates page and filter by the "Templates/Applications" group. The list will display 93 templates.
5. Now, log in with the new user and repeat step 4. The list will display only 90 templates.

The templates "Acronis Cyber Protect Cloud by HTTP", "Acronis Cyber Protect Cloud MSP by HTTP", and "Nextcloud by HTTP" do not appear, although they belong to the "Templates/Applications" group.

The proposed SQL statements also return a different number of records.

After some additional investigation, it turned out that the issue with the templates is caused by missing entries in the host_hgset table in the default dataset. We will definitely fix this. There are no such entries for six templates: "Acronis Cyber Protect Cloud by HTTP", "Acronis Cyber Protect Cloud MSP by HTTP", "Nextcloud by HTTP", "FortiGate by HTTP", "FortiGate by SNMP", and "HPE iLO by HTTP".

Your issue is not related to these templates. Therefore, we are waiting for the output of the SQL queries from you. Thank you!

Thank you for your comments.

select max(r.permission), hg.hostid from hosts_groups hg, rights r, users_groups ug, users u where hg.groupid = r.id and r.groupid = ug.usrgrpid and ug.userid = u.userid and u.username = '<username>' group by hg.hostid having min(r.permission)>0

Gives:

max|hostid|
---+------+
  2| 10294|
  2| 11253|
  2| 11189|
  2| 10902|
  2| 10734|
  2| 10476|
  2| 10477|
  2| 10898|
  2| 10706|
  2| 10436|
  2| 10893|
  2| 10754|
  2| 10838|
  2| 10259|
  2| 11252|
  2| 10334|
  2| 11251|
  2| 11194|
  2| 10260|
  2| 11195|
  2| 10310|
  2| 10844|
  2| 10884|
  2| 10903|
  2| 10735|
  2| 10378|
  2| 10370|
  2| 10376|
  2| 11254|
  2| 10758|
  2| 10295|
  2| 10755|
  2| 10674|
  2| 11192|
  2| 11190|
  2| 10757|
  2| 10435|
  2| 10883|
  2| 11250|
  2| 10258|
  2| 10279|
  2| 10311|
  2| 11245|
  2| 10894|
  2| 10312|
  2| 10144|
  2| 10471|
  2| 10809|
  2| 10579|
  2| 10896|

And 

select u.userid, hhg.hostid, p.permission from users u, user_ugset uug, permission p, host_hgset hhg where u.userid = uug.userid and uug.ugsetid = p.ugsetid and p.hgsetid = hhg.hgsetid and u.username = '<username>' order by u.userid, hhg.hostid

Gives :

userid|hostid|permission|
------+------+----------+
    25| 10376|         2|
    25| 10674|         2|
    25| 10757|         2|
    25| 10758|         2|
    25| 10838|         2|
    25| 10844|         2|
    25| 10884|         2|
    25| 10893|         2|
    25| 10894|         2|
    25| 10896|         2|
    25| 10898|         2|
    25| 10902|         2|
    25| 10903|         2|
    25| 11189|         2|
    25| 11190|         2|
    25| 11192|         2|
    25| 11194|         2|
    25| 11195|         2|
    25| 11245|         2|
    25| 11250|         2|
    25| 11251|         2|
    25| 11252|         2|
    25| 11253|         2|
    25| 11254|         2|

--- config.txt	2025-01-09 09:49:27.209694395 +0000
+++ cache.txt	2025-01-09 09:49:20.085699642 +0000
@@ -1,37 +1,11 @@
 userid|hostid|permission|
 ------+------+----------+
-    25| 10144|         2|
-    25| 10258|         2|
-    25| 10259|         2|
-    25| 10260|         2|
-    25| 10279|         2|
-    25| 10294|         2|
-    25| 10295|         2|
-    25| 10310|         2|
-    25| 10311|         2|
-    25| 10312|         2|
-    25| 10334|         2|
-    25| 10370|         2|
     25| 10376|         2|
-    25| 10378|         2|
-    25| 10435|         2|
-    25| 10436|         2|
-    25| 10471|         2|
-    25| 10476|         2|
-    25| 10477|         2|
-    25| 10579|         2|
     25| 10674|         2|
-    25| 10706|         2|
-    25| 10734|         2|
-    25| 10735|         2|
-    25| 10754|         2|
-    25| 10755|         2|
     25| 10757|         2|
     25| 10758|         2|
-    25| 10809|         2|
     25| 10838|         2|
     25| 10844|         2|
-    25| 10883|         2|
     25| 10884|         2|
     25| 10893|         2|
     25| 10894|         2|

As expected, the intermediate tables are missing some entries.

• Have you performed any direct manipulations with the database data?
• Do all hosts and templates have the required entries in the "host_hgset" table? This SQL query will return a list of hosts and templates missing the corresponding entries in this table:

  select h.hostid, h.host from hosts h where h.flags = 0 and h.hostid not in (select hostid from host_hgset);

• Have you performed any direct manipulations with the database data?

We did not manipulate data values on databases. But, we had to adjust format of some primary keys and foreign keys because updates did not adjust them correctly (since version 7). particularly on primary keys (should be bigint/int8, but we had in4, numeric...), and we had to recreate missing indexes. The first version of our zabbix vas version 5, and 3 years ago, we migrated from mysql to pgsql with no issues until version 7.

• Do all hosts and templates have the required entries in the "host_hgset" table?

The SQL query gives only 155 of our 231 hosts configured.

Hello, dedisoft!

Thank you for active help with investigation of this issue.
Could you tell please, Does it might be that some of your hosts were without host groups for long time ago, and after you upgraded up to 7.0, you added the host groups to them?

No, hosts were always configured with at least one host group.

Sorry for primitive questions.
Do you remember what the count of hosts (at least approximate) you had before you migrated to 7.0?
Does the hosts mostly are created/updated using UI, or using API, or maybe you widely use Low Level Discovery to create them?

No worries, thank you for your help.

Most of our hosts were already configured before 7.0 update, so around 220 - 230 hosts.

All are configured by the UI.

Have you noticed this permission issue right after upgrade to 7.0, or after some time?

Do you have the zabbix server log at the moment of upgrade to 7.0?

Could you provide your database schema, please? Just to compare how much it matches the original one.

This command can be used to dump the database schema:

pg_dump -U <user_name> <db_name> --schema-only | gzip -c > schema.dump.gz

schema.dump.gz

Hi,

How can we generate missing host_hgset entries ?

Thanks

Here are the steps to generate missing host_hgset records:

1. Do the following actions in database:
1.1. Collect the list of hosts for which host_hgset records are missing.

select h.hostid, h.host from hosts h where h.flags = 0 and h.hostid not in (select hostid from host_hgset);

1.2. On database level: insert into host_hgset table entry for each host collected in step 1 by setting the any of existing hgsetid.

INSERT INTO host_hgset (hostid,hgsetid) VALUES ('<missing hostid>','<any of existing hgsetid>');

2. Do the following actions in UI or API:
2.1. Create a new temporary host group.
2.2. Add the newly created host group to hosts collected in step 1.
2.3. Remove the newly created host group from hosts collected in step 1.

After the following steps host_hgset records will be generated correctly.

Thank you very much.

It solved our problem.

Hello dedisoft!

Thank you again for active help in issue detection!

Due to lack of all necessary information we wasn't able to reproduce the issue.
Based on the facts mentioned above we have suspicions that something is wrong with your database, and due to that the DB upgrade patch on permissions wasn't successfully applied to all existing hosts, but unfortunately we aren't able to prove this.

The instructions of how to repair the permissions is given in the comment above.

The described above issue related with the templates will be fixed in scope of ZBX-25868.

The current ticket is considering to be closed.