Could you please expand on this feature request a bit, what exactly is sought here? Is this about the global commands, perhaps?

This ZBXNEXT is dedicated to limit the range of execution options for user type "Zabbix Admin".

The topic relates to the actions section when setting up a custom remedy on triggers. Specifically, this gets sensitive when invoking a command on Zabbix server:

But this can be useful for the "Administration" -> "Scripts" section as well.

Thank you for the explanation, much more clear now.

For this to be effective, one would also have to take into account external checks, userparameters and probably more. That is, while external checks and userparameters would be more limited, ignoring them would make such a feature much less useful.

More on this topic - such a change would likely have very limited benefit if other problems like these are left unsolved:

• ZBX-6345 - Zabbix "user" can gain write privilege through the API
• ZBXNEXT-4943 - any Zabbix "admin" can retrieve Zabbix database credentials (and anything else server knows)

One possibility is to create a dedicated daemon for executing remote commands that runs as another user that can't read zabbix config files. Use IPC to communicate.

Most likely that's just kicking the can further down the road.