Contact group members are displayed incorrectly

Hey, I noticed that the displayed members of a contact group varies depending on whether you are an administrator or a user with limited rights.

Icingaweb, as user testadmin:

As icingaweb-user testadmin everything is displayed correctly as provided in the example-configuration below.

Icingaweb, as user testuser
(restricted to monitoring/filter/objects = "hostgroup_name=hostgroup_testhosts*") :

As icingaweb-user testuser, the number of members of the contact group is displayed correctly, but the members not. In the configuration below, user_nogroup is not a member of the usergroup “usergroup_test”.

It looks to me as if the display of users and user groups in Icingaweb is linked to whether there are configured notifications or not. As Icingaweb-users do not have access to all objects due to their roles/filters, the effects mentioned above occure.

My question: Is this a desired behavior?

If yes, what would be the best-practice for “monitoring/filter/objects” in the Icinga roles, to avoid these effects?



Icinga Web 2 version

  • 2.11.4

Used modules and their versions

  • doc 2.11.4
  • graphite 1.2.0
  • icingalegacytheme 1.0.0
  • monitoring 2.11.4

Web browser used

  • Google Chrome Version 112.0.5615.138

Icinga 2 version used

  • 2.13.2-1

PHP version used

  • 5.4.16

Server operating system and version

  • Red Hat Enterprise Linux Server release 7.9

Example Configuration:


object Host "testhost_a" {
  import "generic-host"
  address = "" = "testteam"

object Host "testhost_b" {
  import "generic-host"
  address = "" = "testteam"
} is used to define members of a hostgroup


object HostGroup "hostgroup_testhosts" {
  assign where match("*testteam*",

The hostgroup is used for object-filter in Icingaweb.


users = "testadmin"
unrestricted = "1"
permissions = "*"

users = "testuser"
monitoring/filter/objects = "hostgroup_name=hostgroup_testhosts*"
permissions = "monitoring/*,module/monitoring"

Users, Usergroups & Notifications:


object UserGroup "usergroup_test" {

object User "user_a" {
  groups = [ "usergroup_test" ]

object User "user_b" {
  groups = [ "usergroup_test" ]

object User "user_nogroup" {

apply Notification "notification-group" to Host {
  command = "mail-host-notification"
  user_groups = [ "usergroup_test" ]
  assign where == "testhost_a"

apply Notification "notification-nogroup" to Host {
  command = "mail-host-notification"
  users = [ "user_nogroup" ]
  assign where == "testhost_b"

However, it is not always just too many contact group members that are displayed. An AND-clause in the filter can result in the user with restricted rights not being able to see any contact groups and their members at all.

e.g.: monitoring/filter/objects = "hostgroup_name=testhosts*&servicegroup_name=testservice*"

Suppose here the hosts of the host group “test hosts” have notifications configured, but the services of the service group “testservice” have no notifications. The restricted icingaweb-user cannot see any members of the user group.

I remember seeing this as well.