[ZBXNEXT-4119] Tag based permissions, responsibility matrix (Z4) Created: 2017 Sep 25  Updated: 2024 Apr 10  Resolved: 2018 Mar 13

Status: Closed
Project: ZABBIX FEATURE REQUESTS
Component/s: API (A), Frontend (F), Server (S)
Affects Version/s: None
Fix Version/s: 4.0.0alpha5, 4.0 (plan)

Type: Change Request Priority: Major
Reporter: Rostislav Palivoda Assignee: Alexander Vladishev
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: GIF File block_border.gif     PNG File colon_tag.png     PNG File duplicate_entries.png     PNG File events_undefined_index.png     PNG File guest_problems.png     PNG File host_status.png     PNG File manually_close.png     PNG File map_problem.png     PNG File problems.png     PNG File problems_never_resolved.png    
Issue Links:
Causes
causes ZBXNEXT-4540 Problems widget filter - same tags ar... Closed
causes ZBX-14808 Typo in escalator.c Closed
Sub-task
depends on ZBXNEXT-4435 trigger severity support in event tag... Open
depends on ZBX-12884 Zabbix 3.0 misleading user permission... Closed
part of ZBXNEXT-77 Better permission granularity Closed
part of ZBX-7706 Slow queries when checking permissions Closed
part of ZBX-13386 host.get api method SQL improvement Closed
Team: Team B
Sprint: Sprint 17, Sprint 18, Sprint 19, Sprint 20, Sprint 21, Sprint 22, Sprint 23, Sprint 24, Sprint 25, Sprint 26, Sprint 27, Sprint 28, Sprint 29
Story Points: 5

 Description   

1. Configuration of user groups will be extended with additional TAB showing list host group with associated pairs of tags & values.
a. Tag as well as tag value are optional. A host group without associated tags may exist.
b. Different tags with different values must be supported.

2. Zabbix will take into account problem tag filtering for:
a. Monitoring?Problems, Monitoring?Dashboard (all widgets displaying problem-related information)
b. Alerting: sending of alerts to users with no tag permissions will be suppressed
c. API methods: event.get and problem.get will be extended to take into account problem tag filtering

3. How filtering works:
a. If not filters exist for a given user group, then no filtering is applied.
b. If only host group is given with no tags, then it is allowed to display problem of this specific host group
c. If only tag name is given without tag value, then all problems having this tag name should be displayed
d. If both tag name and tag value are given, then it's allowed to display problem having Tag==<tag name> Tag value==<tag value>
e. If an user is a member of several host groups, then permissions granted for each host group are combined using OR condition.
f. If there are several tag names having same value, then filtering will use OR condition for tag values. For example: Host group ABC: Service: MySQL Service: Oracle. In this case it will be transformed into Problem belong to Host group ABC nad has tag "Service" with value either "MySQL" or "Oracle"

 Comments   
Comment by Sergejs Paskevics [ 2017 Oct 26 ]

Server side was resolved in development branch svn://svn.zabbix.com/branches/dev/ZBXNEXT-4119 r73941, r74159, r74160

Comment by dimir [ 2018 Jan 29 ]

Message to everybody interested in this task. According to the latest agreement this issue will be about adding an additional filter (event tag based) to user group permissions.

Comment by Alexander Vladishev [ 2018 Feb 23 ]

(66) [D] API documentation needs to be updated

sasha Updated:

RESOLVED

Miks.Kronkalns In Changes from 3.4 to 4.0 not mentioned that event.get returns not only events that matches specified tag filters, but also recovery events of matching events.

REOPENED

sasha

RESOLVED

Miks.Kronkalns CLOSED

Comment by Alexander Vladishev [ 2018 Feb 25 ]

(67) [D] User manual needs to be updated

natalja.cernohajeva : Necessary documentation sections have been updated with required information. Please, review:

RESOLVED

sasha CLOSED

Comment by Alexander Vladishev [ 2018 Mar 05 ]

Available in 4.0.0alpha5 r78287

Comment by XinWang [ 2022 Jun 09 ]

seems that tag based permission control is not implement, right? 

Comment by Alexander Vladishev [ 2022 Jun 09 ]

Tag based permissions can be configured in the user group form. See documentation.

Comment by XinWang [ 2022 Jun 13 ]

Yes,that's right. I have already use this feature to control problem by tags. Actually,the real problem is we have tens of thousands of devices from different departments mixed in hundreds of host group are created. So it’s a big challenge to do permissions control just with host groups. For sure, we can create more groups to separate hosts. But it’s not flexible since we create host with dozens of key-values pairs. Thanks so much for you guys have do excellent jobs on RBAC. I think it will more flexible and easy to manage permissions for admin role from different department or tenant for configuration part of support tag based hosts filtering. 

Comment by XinWang [ 2022 Jun 13 ]

One moe thing I want to shares that we only use hostgroup to separate hosts with the same location. For other customize requirements,we use tags link to host at every where. Like configuration,trigger actions and etc. So tags act as a significant role for management. 

Generated at Wed May 08 14:39:57 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.