Lesser security group overriding administrators

Not sure if we’d call this expected behavior, so bringing it up here before I trouble anyone with a github issue.

I have a security group for our Tier3 team that includes hiding all Custom Variables under Restrictions for the monitoring module. One of our Tier3 guys was recently promoted to Systems Administrator. Even though he is now in the group which has Administrative Access toggled, since one of the AD groups associated with Tier3 was still on his account, this restriction is still applying.

Specifically, under monitoring/blacklist/properties, it was service.vars.**.*,host.vars.**.*,service.vars.*,host.vars.*

I’m redoing our security roles anyway and will resolve it accordingly, but I would expect an administrative role to supersede this.

Administrative Access is, I’m afraid, just a fancy term for not having to switch all toggles in the role configuration. For true administrative access a user must not be a member of a role that is restrictive in any way.

Somehow related: https://github.com/Icinga/icingaweb2/issues/2455

Yeah, the only quirk I’m finding here is you’d think assigning all permissions in one role would void the restrictions, but it sounds like it’ll stay this way.

I’ll go ahead and mark this resolved.