Ubuntu 16.04 LTS

version 3.4.9 the problem persists.

Can confirm this on 3.4.9.

Here is how to reproduce it:
1) Create user 'another' and assign it to User type 'Zabbix Admin' which by default has no rights to any host.
2) With Zabbix super administrator create a new map and add 'Zabbix server' host inside it. Sharing type remains as 'Private'
3) Authorize with 'another' user. Ensure the map is not visible.
4) Use Zabbix super administrator and include one image in the same map. Save the map
5) With user 'another' refresh the map page. The map becomes visible. It is possible to go inside and see some images (not including sensitive data).
inserting-image-item-in-private-map-allows-all-zabbix-admins-see-some-content.mp4

Hello Aigars Kadikis, your reproduction of the problem was perfect.
This is exactly the problem, I followed your procedure and the behavior is the same as yours, the permissioning of the elements in the maps works perfectly, but if you insert a single element of type "image" then the permission fails, so any user of type "zabbix administrator" will be able to list and view the maps of other users even if they are" private "and even if they do not have any permission on the elements contained in the map "even though the sensitive data is hidden ".

I can confirm that the problem affects all versions 3.4.x and all alphas of 4.0.
Version 3.2.x in my tests are working ok.

It works as documented.

Admin level users can see private maps regardless of being the owner or belonging to the shared user list.

The way it is, I only see 2 exits:

1º Do not use elements of type "image" in the maps. Well, the permissions are respected.
2. Do not leave any users with "Zabbix admin" profile. Well, the permissions are respected.

I have to choose between the 2.

Step by the same problem as Diego and I do not see exit since if not leave some users as admin they no longer have access to some elements

I moved this issue to ZBXNEXT project. Please vote for this change request!

In include/classes/api/services/CMap.php there are some lines that permit this:

 // Setting PERM_READ permission for maps with at least one image.
 $selement_images = self::getSelements(array_keys($sysmaps_r), SYSMAP_ELEMENT_TYPE_IMAGE);
 self::setMapPermissions($sysmaps_r, $selement_images, [0 => []], $selement_maps);
 self::setHasElements($sysmaps_r, $selement_images);

Any updates?

Hi there, I've reported code lines involved in this issues/feature. This ticket was opened on  2018 Apr 07 ...Any updates?

I wonder about this authorization concept.

When I look at this list of references, I can not believe that large companies agree with this mess, or have spent a lot of money on work arounds.

Example: We have several 24/7 data centers. Some have their own site administrators. To be able to administer their own hosts, they need to be Zabbix Adminstrator. This gives them all rights to maps again. The same issue is with Discovery. I am not able to give a DBA for a single host the rights for scheduled downtime without giving it the right Zabbix Adminstrator.
From an authorization perspective, Zabbix is not suitable for large DCs, in particular multi-tenancy environment.
Map is one of many gaps.

By the wording, it is true that an administrator should see everything, but an application admin should be able to set up maintenance or add a template to his host. That's why many of us are Zabbix administrators and have in this case too many rights.