I have the following problem regarding our monitoring team and which hosts/services they can see.
There is one Service Group “MonitoringServices” and one Hostgroup “MonitoringHosts”
I want to add a role in which our monitoring team can see only Hosts / Services which are in this groups.
Thus, I went to Configuration->Authentication->Create a New Role and set:
"monitoring/filter/objects" to "hostgroup_name=MonitoringHosts&rvicegroup_name=MonitoringServices"
This works fine with one exception. If there is a host without any “MonitoringServices” it won’t show up. This is kinda unexcepted since the host is clearly in the “MonitoringHosts”.
If I alter the filter to “hostgroup_name=MonitoringHosts | servicegroup_name=MonitoringServices” it is getting even worse. Now all services of a host show up as long as it is in the “MonitoringHosts” group.
Does anybody know how to deal with this kind of situation?
I’m afraid, but this works exactly as it should. Issue #3349 on Github is kind of related here too I guess.
The restriction is equally applied to all kind of objects we’re dealing with here. (Hosts, Services, Hostgroups, Servicegroups, Contacts, Contactgroups, Events, Notifications, …) If filtering based on servicegroup_name an appropriate servicegroup must be somehow related to any given object:
A host must have a service which is part of this group (host -> service -> servicegroup)
A service must be part of this group (service -> servicegroup)
A hostgroup’s host must have a service which is part of this group (hostgroup -> host -> service -> servicegroup)
The only solution I see is to turn away from the whitelist approach and switch to a blacklist one: hostgroup_name=MonitoringHosts&servicegroup_name!=NonMonitoringServices
This way:
Hosts in group MonitoringHosts and with no services at all or services which are in any other group than NonMonitoringServices
Services which are part of a host which is in group MonitoringHosts and which are in any other group (or no group) than NonMontoringServices
are displayed. Though, the blacklist may not feasible to you of course. But at least worth a try?
I tried your approach. I made a new service group which basically inverted the Group “MonitoringServices”.
object ServiceGroup " NonMonitoringServices" { assign where !("MonitoringServices" in service.groups) }
and used your approach hostgroup_name=MonitoringHosts&servicegroup_name!=NonMonitoringServices
Now I get only the Hosts, which do only have MonitoringServices
But I can see all the services that I want if I go for overview->services. This is kinda strange, since I can also see the hosts there but if I click on them, I get Host not found on the right hand site.
Funny thing is. If I build my filter that way (_service_department!=admin1&_service_department!=admin2&_host_is_prod!=false) it works fine
I would prefer a whitelist approach but since it does not really feasible, I go with this blacklist solution.