[ZBX-8018] Usage of nested templates may result in inconsistent inheritance Created: 2014 Apr 01  Updated: 2024 Apr 10  Resolved: 2018 Feb 09

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: API (A), Documentation (D), Frontend (F)
Affects Version/s: 2.2.2
Fix Version/s: 4.0 (plan)

Type: Documentation task Priority: Major
Reporter: Marc Assignee: Natalja Cernohajeva (Inactive)
Resolution: Fixed Votes: 1
Labels: nested, permissions, templates, usability
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Team: Team B
Sprint: Sprint 26, Sprint 27
Story Points: 0

 Description   

This issue is about a probably well known problem in connection with template inheritance and its permissions.

Template inheritance example:
Linux template -> Service1 template -> some hosts
Linux template -> Service2 template -> some hosts
Linux template -> Service<n> template -> some hosts
Linux template -> lots of other hosts

Linux administrator has write permission to Linux template and all related hosts.
Service operator has write permission to his or her service template and related hosts.

Now when the Linux administrator creates an item in the Linux template, then this operation succeeds without any error.
In fact the item gets created in all hosts except the ones behind the service templates.

When the Linux administrator then creates a trigger in the same template based on the same item, the operation fails because the missing item behind the service templates.

This appears really not trivial to solve and there's a lot of room for discussion about what would be the "right" behavior.
Anyhow, for now I'd appreciate the API item creation request either to succeed with a proper warning or to fail (of course with a proper message as well).

At least it should be somehow noticeable so that a Zabbix-Super-Admin may re-save the item in question to assure consistency.
If such (interim) behavior is still out of question, I'd expect the trigger creation to work the same way the item creation does (successful creation on hosts with proper permission) - what would still result in inconsistent inheritance though.

I heard that the current behavior/limitation should already have been documented but I haven't found it yet.

Possibly one could add a link to one of these places:
https://www.zabbix.com/documentation/2.2/manual/config/templates/nesting
https://www.zabbix.com/documentation/2.2/manual/config/users_and_usergroups/permissions
https://www.zabbix.com/documentation/2.2/manual/appendix/faq

Possibly somehow related issues:
ZBX-6293
ZBX-6401
ZBX-2499

 Comments   
Comment by Martins Valkovskis [ 2014 Apr 02 ]

As for documentation, this situation was not documented officially. Now added, as:

https://www.zabbix.com/documentation/2.2/manual/config/templates/nesting#permission_issues

Comment by Marc [ 2014 Apr 23 ]

Another scenario:
Updating a template silently un-links itself from any entity one has no permission to.

Example:

  • Template 'Application' is linked to template 'Linux' and to template 'AIX'
  • AIX administrators have read-write permission on template AIX
  • Linux administrators have read-write permission on template Linux
  • Both, AIX and Linux administrators have read-write permission on template 'Application'

Now when an AIX administrators updates template 'Application', e.g. by changing a user macro, then the template 'Application' gets un-linked from template Linux

Generated at Thu Apr 10 12:35:54 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.