[ZBXNEXT-4655] Allow Zabbix-Super-Admins to act like a Zabbix-Admin Created: 2018 Jul 26 Updated: 2018 Jul 30 |
|
Status: | Need info |
Project: | ZABBIX FEATURE REQUESTS |
Component/s: | Frontend (F) |
Affects Version/s: | 3.4.11 |
Fix Version/s: | None |
Type: | Change Request | Priority: | Trivial |
Reporter: | Marc | Assignee: | Valdis Murzins |
Resolution: | Unresolved | Votes: | 1 |
Labels: | permissions, usability, users | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Attachments: | VirtualZabbixAdmin.png ZabbixSuperAdmin.png |
Description |
People managing a large Zabbix instance and therefore having the user role Zabbix-Super-Admin may most of the time still be interested in a subset of host groups and related information only. How about allowing a Zabbix-Super-Admin to toggle between being a virtual Zabbix-Admin and a Zabbix-Super-Admin? As a virtual Zabbix-Admin permissions are granted as for usual users. Except for the toggle button to evaluate back to Zabbix-Super-Admin, of course. I don't know, maybe a Boolean attribute optionally send alongside concerning API requests?
While this is different to ZBXNEXT-2018, both may have some things in common in terms of technical pre-requisites. |
Comments |
Comment by Aleksejs Petrovs [ 2018 Jul 26 ] |
Hello Marc, Thank you for the request, but what will be the key benefit of that implementation? I mean when you are Super Admin - Zabbix wouldn't perform the additional permission check, but in your scenario - this will be an additional check which will provide an additional load on the DB/Web server. Regards, |
Comment by Ingus Vilnis [ 2018 Jul 27 ] |
What costs more from a performance perspective - doing a permission check on every page for an additional user or loading ALL data for every host group on every page you open when as a Zabbix Super Admin you are only interested in health of your Zabbix server and it's surrounding environment? |
Comment by Marc [ 2018 Jul 30 ] |
you're right! There will be additional things to do for Zabbix Super Admins but not notable more than it is already done for regular users. Iiirc the current implementation of permission checking just drops these checks, if the user in question has the user role Zabbix Super Admin. This should not be that difficult to make it switchable. The user role Zabbix Super Admin is imho not related to do any monitoring tasks. It's major purpose is for controlling and managing a Zabbix platform. However, it's not unlikely that users who are managing a Zabbix platform do want to do some individual monitoring tasks as well. One scenario could for instances be an organization with dedicated departments for database-, storage-, operating system-, application-admins... you name it. Now presume the Zabbix platform there is managed by Linux admins. In the current implementation they are doomed to see everything - what may be a lot! |
Comment by Marc [ 2018 Jul 30 ] |
As mentioned in my previous comment, I was not thinking of a frontend located check. What I had in mind instead was to extend concerned API methods with a new parameters of type flag, let's call it "virtual_admin". If this parameter is set to True and the user is of type Zabbix Super Admin , then the regular permission check logic is not dropped resp. omitted but applied accordingly. Whether or not this parameter gets passed is controlled by a corresponding link resp. button in the frontend and it's current state could be stored in, resp. derived from a cookie or the user's profile table. |
Comment by Ingus Vilnis [ 2018 Jul 30 ] |
Hi Marc, My reply was more to the comment posted previously and supporting your request. In normal daily activities one does not need to load all data, and this indeed is an issue in larger organisations. I know, filtering etc, but that is not it. So I say this is a valid issue and hopefully will be done some time in the future. |
Comment by Marc [ 2018 Jul 30 ] |
My bad. Sorry, for having misunderstood your reply and Thank you for supporting my request |
Comment by Roman Rajniak [ 2018 Jul 30 ] |
Or maybe that flag could be numeric as a down level to User type of account: from 0=Zabbix Super Admin (no change) to ... 2=Zabbix User or to show like 3=Guest Yes - this is rather for ZBXNEXT-2018 |
Comment by Marc [ 2018 Jul 30 ] |
Host access wise (incl. Items, Triggers, Graphs, etc) there is no difference between the User type Zabbix user or Zabbix Admin. But possibly I've just misunderstood the idea behind "2=user". I've just recently proven that this is not unlikely to happen to me
Edit: Could it be that it's rather ZBXNEXT-2018 what you had in mind? |
Comment by Roman Rajniak [ 2018 Jul 30 ] |
But What if I will test permissions of any user. We missing permisions owerview for hosts on user like in old Zabbix 2.2 . (Also this is not Trivial change.) Simulating permisions of any existing user for Zabbix Super Admin can be useful too (Just for noedit navigation). |
Comment by Marc [ 2018 Jul 30 ] |
Well, testing permissions of any user, resp. simulating permissions is actually exactly what ZBXNEXT-2018 is supposed to offer. |