[ZBXNEXT-77] Better permission granularity Created: 2009 Sep 15 Updated: 2021 Mar 30 Resolved: 2021 Mar 30 |
|
Status: | Closed |
Project: | ZABBIX FEATURE REQUESTS |
Component/s: | Frontend (F) |
Affects Version/s: | None |
Fix Version/s: | None |
Type: | New Feature Request | Priority: | Blocker |
Reporter: | Johan Segernas | Assignee: | Unassigned |
Resolution: | Duplicate | Votes: | 140 |
Labels: | permissions | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Issue Links: |
|
Description |
I would like to be able to give a certain user permission to just parts of a device, like say one port on one switch. I have some core routers with a lot of customers hooked up to it. We measure those ports for bandwidth and similiar. I would like my customers to have their own login and being able to see their bandwidth graph for just their port and not the entire device. Today we use Cacti for this, to be able to use Zabbix we have to add the switch as a new device called 'SwitchXX - customers XX' and just monitor their port on this device. This isn't happening with a few hundred customers. We also host a lot of managed Linux/Windows servers, today we can only give customers read permission to the entire server in Zabbix. Maybe we just want them to see disk/cpu/load graphs and not triggers/items for free. This isn't possible either and the huge lack of permission granularity is a big show stopper for us implementing Zabbix instead of Cacti. Which we really, really want. |
Comments |
Comment by richlv [ 2009 Nov 09 ] |
possible solution : |
Comment by Dieter Plaetinck [ 2009 Nov 09 ] |
not sure if applications are the way to go for this. making different "applications" to categorize the fields may be a bit too far fetch. |
Comment by richlv [ 2009 Nov 09 ] |
maybe, but it would offer much easier configuration afterwards. want to allow some user to see all in/out counters on all your switches, but nothing else ? allow access to one or two applications. |
Comment by Dieter Plaetinck [ 2009 Nov 09 ] |
sorry i wasn't specific enough. the way i see it the single fields that you can select would be exceptions on a "base" rule. and you could toggle the base rule to be "allow everything" or "allow nothing". |
Comment by richlv [ 2010 Apr 03 ] |
partially connected to |
Comment by For@ll [ 2010 Apr 06 ] |
Hi, It's possibility that the implementation of the rights for user, who can for example disable him own action. I have a user who wished something like that, and now I give him account which zabbix administrator rights, and he see other actions. |
Comment by richlv [ 2010 Apr 07 ] |
not quite sure what the latest comment implies, but since 1.8.2 zabbix admins can only see actions where all the recipients share a group with them |
Comment by Pischalnikov Kirill [ 2010 Jun 30 ] |
Hi, |
Comment by lgc6160 [ 2010 Oct 08 ] |
richlv, you mention setting permissions based on applications - is this something that has been implemented already (v1.8.3)? If not, are there plans to in the 1.8 trunk? |
Comment by richlv [ 2010 Oct 08 ] |
application based permissions are not implemented yet; |
Comment by matthias zeilinger [ 2011 Nov 17 ] |
my idea: |
Comment by Steve mushero [ 2012 May 23 ] |
We have many customers use our system and would really like to limit what they can see, such as dashboard, latest data, graphs, screens, but not other things - be nice to control this beyond just read/write. |
Comment by Stanislav Kelberg [ 2012 Jul 11 ] |
Totally agree. We are considering migrating to Zabbix in our organization, but rough permission granularity might be a show stopper for us . A colleague of mine, proposed this dirty workaround: While it would work, it's not very nice and brings additional complexity/confusion. P.S. Maybe anyone knows how to workaround Templates permissions? |
Comment by richlv [ 2012 Jul 11 ] |
templates may belong to several hostgroups as well, you are not required to put them in the "Templates" group |
Comment by Stanislav Kelberg [ 2012 Jul 11 ] |
Thanks Rich, (That was fast btw! ) |
Comment by Robert Parker [ 2012 Aug 15 ] |
Would the following fall within the scope of this feature request? : We'd like to be able to give user groups (they may need to be Zabbix admins) permission to modify Maintenance periods without giving them permission to modify all other aspects of configuration for those hosts (e.g. the main configuration of those hosts, such as name, group membership, agent IP address / name, linked templates, etc). Presumably such a feature would make configurable on a granular level which aspects of configuration (e.g. maintenance periods, linked templates etc) are being granted to the user group for the hosts (or host groups) specified. |
Comment by Ryan Rupp [ 2012 Aug 24 ] |
Another use case I have that may fall under finer permissions is the "Host Name" vs "Display Host Name." I'm intending to automate the creation of hosts through the JSON API with a specific "Host Name" internal identifier, once it is created I don't want that value to change so later on I can reliably query information about that specific host using that "Host Name". Through the frontend I would like the "Host Name" field to be disabled when modifying a host but still allow the user to change the "Display Host Name" if they wish to have the host name visually represented differently. |
Comment by Strahinja Kustudic [ 2014 Feb 20 ] |
Permission granularity could be implemented almost anywhere, but the reporter was mostly talking about permissions on specific items, graphs... IMO if you want to make this right, the first thing that needs to be added is the ability to set read permissions for every item to a group and/or a user. By default the permissions should be set to allow all (or host based). This would be extremely useful if you would like to hide some business sensitive information from some users. Also these permissions should work on actions and notifications, so that those users don't get any notifications for items they don't have read access. |
Comment by Rune Myrhaug [ 2014 Apr 15 ] |
Hi I´m used to the "HP Software Operations Manager" way to do this. Yes, I agree that it would be nice to have better permission granularity. Create a matrix -> Application x Host group ----------------------- This way I can say that e.g user group "AAA" should not have access to see zabbix Internal (e.g. zabbix agent ping) trigger-events. |
Comment by Alain Goldberg [ 2014 Jun 09 ] |
IMO Permission granularity should also include which menu-tabs will be displayed, many managers/customers ask for a simple perspective. Inventory and reports, and actually anything but a single or a couple of screens is confusing them. |
Comment by zentarim [ 2014 Jun 23 ] |
In my opinion this is a really useful feature. I really need it. To date, I have to use the Cacti to allow viewing only part of the device. |
Comment by callistix [ 2014 Nov 12 ] |
+1 for the feature of allowing users access to maintenance settings, but not to hosts configuration. Maybe a new user type could be used? |
Comment by junky84 [ 2014 Nov 19 ] |
I also would appreciate the feature for users to add maintenance for host/groups without host configuration! |
Comment by Jeremy Miller [ 2015 Mar 19 ] |
I would like to have the feature to be able to be able to give select Zabbix Admins the ability to create host groups. |
Comment by Jacek [ 2015 Sep 15 ] |
Is there a chance that you have this in your future plans? These closer ones |
Comment by Gustavo Moura de Sousa [ 2015 Sep 15 ] |
Today we have to give full access to users that we would like to allow only create maintenances. |
Comment by Volker Fröhlich [ 2015 Sep 16 ] |
Gustavo, I have a partial solution to your particular problem as part of http://zabbix.org/wiki/Docs/simplify_ad_hoc_maintenance#POC_implementation This change exploits the fact, that "write" can be set for non-admin users, but it has no meaning, which is confusing in itself. My change introduces the semantics of "Write" meaning, maintenance can be set – at least on the API level. This is tricky to expose in the UI though for various reasons. I simply added a host popup-menu entry and an entry on the Monitoring menu, which is not consistent, but works very well. |
Comment by Gustavo Moura de Sousa [ 2015 Sep 17 ] |
Volker, Thank you very much for your suggestion but I'm affraid the patch is not compatible with the version I'm using. |
Comment by Alexei Vladishev [ 2018 Jul 23 ] |
Tag filtering implemented in Zabbix 3.4 covers some of the use cases related to more granular user permissions. Tag filtering will bring even more practical value as soon as we implement host- and (possibly) item-level tags. |
Comment by Marc [ 2018 Jul 23 ] |
alexei, what finally would mean following the intention of |
Comment by patrik uytterhoeven [ 2018 Jul 23 ] |
problem is at the moment that there is no lookup table for tags when you specify them. making this sensitive to errors already at the moment. Imagine what it will be when we add more complexity like permissions. |
Comment by Ognjen sijan [ 2020 Aug 04 ] |
More then 10 years ... it seems like it's never happening |
Comment by patrik uytterhoeven [ 2020 Aug 04 ] |
it will if you are happy to sponsor this feature |
Comment by Alexei Vladishev [ 2020 Aug 12 ] |
Actually it is not about sponsorship, it is about finding a good solution that will satisfy most of user cases we have here. I have to say that I am not happy about item/trigger-level granularity, we've been there in Zabbix 1.0. It will be a nightmare to manage permissions in this case. I think that what is really missing is ability to restrict access of end-users to certain parts of Zabbix UI (like I want to see dashboards only, nothing else; or I want to hide Monitoring->Services) and certain functions like problem acknowledgements, ability to create/edit dashboards, ability to create maintenance periods, etc. We could possibly implement this functionality as support of user roles (like "Customers", "Marketing", "Network engineers", etc). A user role could be assigned to an user (one role for each user) and it will define user type (user, admin or super admin), what parts of UI are accessible and what specific functionality is available to the user role (maintenances, problem acknowledgement, ability to create/edit dashboards, ability to create/edit maps, etc). It will be kind of additional filter for UI functionality. What do you think? |
Comment by patrik uytterhoeven [ 2020 Aug 12 ] |
imho this is the way to go user defined roles where you can define what is possible and what is not possible like for example create the maintenance. something i fix now with frontend scripts. like you mentioned adding permissions on triggers is way to complex and will only lead to the windows way with acl hell problem with admin today is imho that it can not be restricted to for example not create discovery rules while normal users cant see the templates etc ...
|
Comment by zentarim [ 2020 Aug 12 ] |
That is exactly what I've been needed six years ago |
Comment by Joachim Vertommen [ 2020 Aug 12 ] |
I think user roles would be very nice. But I think it's not only a matter of restricting which role can access which part of the UI, it's also a matter of defining which role has which rights to the parts of the UI. Another annoyance today is that read-write permissions are required to be able to manually close a problem, but at the same time read-write also allows the user to change the problem severity. Which is not always desirable. And of course people who create maintenances are most of the time operators and not the same people who configure and maintain Zabbix. |
Comment by Alexei Vladishev [ 2020 Aug 12 ] |
joachim.vertommen, in case if we implement user roles the way I described, we will not require read-write permissions for certain operations like changing problem severity, creation of maintenance periods, etc. Read-only will be sufficient. I understand what you mean about having access to configuration data for non-admins. Introduction of Monitoring->Hosts, ability to manage dashboards for all users are just a few steps we have made in this direction. Ideally I would like to see most of Configuration merged with Monitoring in the future. |
Comment by Joachim Vertommen [ 2020 Aug 12 ] |
If the permissions for each operation can be chosen individually then what you describe indeed seems like a very good solution. |
Comment by Gutsycat [ 2020 Aug 13 ] |
"It will be a nightmare to manage permissions in this case." Alexei, in our zabbix instance we have to add the same hosts/items twice and create additional host groups to allow customers view only their specific items. So my vote goes to "nightmare permissions" |
Comment by Alexei Vladishev [ 2020 Aug 13 ] |
Rostislav I understand your challenge. I guess we have to find a good balance between usability and flexibility. |
Comment by Alexei Vladishev [ 2020 Sep 16 ] |
We are developing support of user roles under |
Comment by Joachim Vertommen [ 2020 Sep 29 ] |
Hello Alexei, Can you add a use case to restrict manually closing of problems by certain users? |
Comment by Alexei Vladishev [ 2020 Sep 29 ] |
joachim.vertommen It will be implemented under |
Comment by Mickael Martin (Cyres) [ 2021 Mar 30 ] |
Not closed by https://www.zabbix.com/documentation/current/manual/web_interface/frontend_sections/administration/user_roles ? |
Comment by Alexei Vladishev [ 2021 Mar 30 ] |
@mma, I would say that we can close it, any objections? Likely some users here are waiting for item level granularity, which I believe will never be implemented. |
Comment by Mickael Martin (Cyres) [ 2021 Mar 30 ] |
For me, since 5.2, Zabbix has a good granularity, it's a great work. |
Comment by Alexei Vladishev [ 2021 Mar 30 ] |
All right, I think it is fine to close this ticket then. |