One user, two roles

unixe · November 18, 2019, 12:12pm

Hi community,

I thought my requirement was very simple, but in fact it isn"t
I import user groups from AD. All members of all groups should have a read-only access to the whole Icinga Web 2, allowed to see hosts and services - but not allowed to set downtimes or something like that.

[Icinga Read All]
groups = "Icinga Read All"
permissions = "module/graphite,module/monitoring"
monitoring/filter/objects = "host_name=*"

Besides that, all members of a developer group should be allowed to set downtimes only for their hosts (collected in a host group) and the assigned services.

[Icinga Write Dev]

groups = "Icinga Write Dev"
permissions = "module/monitoring,monitoring/command/downtime/*,monitoring/command/downtime/schedule,monitoring/command/downtime/delete"
monitoring/filter/objects = "hostgroup_name=dev"

What happens is: the user got both roles, they get merged, and the user is allowed to set downtimes on every host. But when I delete monitoring/filter/objects = "host_name=*" in the role [Icinga Read All], the user does not see all hosts, but only hosts included in host group dev.

I found this issue; it’s from 2016 and seems to cover my requirements. So my questions are:

Is there currently a way to implement what I’m trying to do here?
If not so: are there any plans to get this ready in Icinga Web 2? What would be needed?
If not so: will it be possible in the re-designed versions coming soon?

You also can contact me directly if that’s easier for you

Thanks for any hint,
Marianne

unic · November 18, 2019, 12:27pm

Hi Marianne,

i have a similar problem and havn’t found a solution for it yet. I have one group which need to see all hosts, but they should only have permissions to ackknowledge problems etc. on “their” hosts.

It looks like that is not possible yet, because as soon as I give the group these role, they will get them on ALL hosts they can see. > Is it possible to give permission to ackknowledge a problem only for some hosts?

I need that, because they should see other problems too, just to make sure, that there problems are not coming from some network devices f.e.

anon66228339 · November 18, 2019, 12:28pm

Hello Ceo from COCOC,

Solution = use 2 different users , for read use normal account , for dev create accounts with dev_username.

! User in many roles doesnt work, i have in mind that the role with the highest privileg wins.

Regards,
Carsten

nilmerg · November 18, 2019, 1:05pm

It’s not only you:

Though, we’re aware of this and plan to make this possible with Icinga DB and Icinga Web 2 v2.8 or v2.9 at the latest.

unixe · November 19, 2019, 9:37am

Hi,

thank you very much for this information.
Perhaps one should update the issue accordingly – seems to be a question asked more than once So I’ll be waiting for IcingaDB.

And @anon66228339: thanks for paying me homage Always a pleasure!

Cheers,
the CEO of CoCoC