One user, two roles

Hi community,

I thought my requirement was very simple, but in fact it isn"t :smiley:
I import user groups from AD. All members of all groups should have a read-only access to the whole Icinga Web 2, allowed to see hosts and services - but not allowed to set downtimes or something like that.

[Icinga Read All]
groups = "Icinga Read All"
permissions = "module/graphite,module/monitoring"
monitoring/filter/objects = "host_name=*"

Besides that, all members of a developer group should be allowed to set downtimes only for their hosts (collected in a host group) and the assigned services.

[Icinga Write Dev]

groups = "Icinga Write Dev"
permissions = "module/monitoring,monitoring/command/downtime/*,monitoring/command/downtime/schedule,monitoring/command/downtime/delete"
monitoring/filter/objects = "hostgroup_name=dev"

What happens is: the user got both roles, they get merged, and the user is allowed to set downtimes on every host. But when I delete monitoring/filter/objects = "host_name=*" in the role [Icinga Read All], the user does not see all hosts, but only hosts included in host group dev.

I found this issue; it’s from 2016 and seems to cover my requirements. So my questions are:

  • Is there currently a way to implement what I’m trying to do here?
  • If not so: are there any plans to get this ready in Icinga Web 2? What would be needed?
  • If not so: will it be possible in the re-designed versions coming soon?

You also can contact me directly if that’s easier for you :slight_smile:

Thanks for any hint,

1 Like

Hi Marianne,

i have a similar problem and havn’t found a solution for it yet. I have one group which need to see all hosts, but they should only have permissions to ackknowledge problems etc. on “their” hosts.

It looks like that is not possible yet, because as soon as I give the group these role, they will get them on ALL hosts they can see. > Is it possible to give permission to ackknowledge a problem only for some hosts?

I need that, because they should see other problems too, just to make sure, that there problems are not coming from some network devices f.e.

1 Like

Hello Ceo from COCOC,

Solution = use 2 different users :slight_smile:, for read use normal account , for dev create accounts with dev_username.

! User in many roles doesnt work, i have in mind that the role with the highest privileg wins.



It’s not only you:

Though, we’re aware of this and plan to make this possible with Icinga DB and Icinga Web 2 v2.8 or v2.9 at the latest.



thank you very much for this information.
Perhaps one should update the issue accordingly – seems to be a question asked more than once :slight_smile: So I’ll be waiting for IcingaDB.

And @Carsten: thanks for paying me homage :joy: Always a pleasure!

the CEO of CoCoC

1 Like