Icingaweb2 suddenly overwrites admin permission filters

Hi all,
Icingaweb2 2.8.2
this problem is very urgent. Since this morning we have a strange behavior in Icingaweb2:
My AD login is in 2 AD groups: “IT_Admins” and “Another”, where IT_Admins are Administrators in Icingaweb2 and Another has a monitoring/object/filter.
Since this morning, after logging in, I still have my admin rights in all modules, but I don’t see all hosts anymore. Instead of this, I see only the hosts, which are filtered for the “Another” group.
The only change I have made yesterday, was changing a permission for a third role (which shouldn’t be the reason here). When I delete my User from the “Another” Group in AD, everything is working again. So it seems, that Icingaweb2 sets the filter for the first AD group, which is matched (as "Another is matched first,because it stars with “A” and then “IT_Admins”) but does not unset it for the administrators. But I don’t know, why this is happening right (or better JUST) now, as everything worked for months.
Here is a part of the roles.ini:

users = "icingaweb2"
permissions = "*"
groups = "Administrators, IT_Admin"

groups = "Another"
permissions = "module/grafana, grafana/showall, module/monitoring, monitoring/command/schedule-check, monitoring/command/acknowledge-problem, monitoring/command/remove-acknowledgement, monitoring/command/comment/add, monitoring/command/downtime/*, monitoring/command/send-custom-notification"
monitoring/filter/objects = "_host_icingaweb=*\"Another\"*|_service_icingaweb=*\"Another\"*"


this is the default behavior. Permissions and restrictions are processed differently and do not belong to each other if from the same role. This is a well known limitation.

You need to either remove yourself from “Another” group, remove the restriction from the “Another” role or define a match-all restriction for “Administrators” (e.g. instance_name=*) which rules out other restrictions. Though, didn’t test the latter option and can’t guarantee it works.

Why this just happened this morning? Did you logout/login somehow after being logged in for a very long time? Then this might be the reason, as roles are only evaluated once per login.

1 Like

No I was not logged in for a long time. I am shutting down my PC every day. Same for my collegue.
It doesn’t make sense, that a role, which has the slider “Administrative Access” on, got any filter objects.
Imho, this is a bug.