I thought my requirement was very simple, but in fact it isn"t
I import user groups from AD. All members of all groups should have a read-only access to the whole Icinga Web 2, allowed to see hosts and services - but not allowed to set downtimes or something like that.
[Icinga Read All] groups = "Icinga Read All" permissions = "module/graphite,module/monitoring" monitoring/filter/objects = "host_name=*"
Besides that, all members of a developer group should be allowed to set downtimes only for their hosts (collected in a host group) and the assigned services.
[Icinga Write Dev] groups = "Icinga Write Dev" permissions = "module/monitoring,monitoring/command/downtime/*,monitoring/command/downtime/schedule,monitoring/command/downtime/delete" monitoring/filter/objects = "hostgroup_name=dev"
What happens is: the user got both roles, they get merged, and the user is allowed to set downtimes on every host. But when I delete
monitoring/filter/objects = "host_name=*" in the role
[Icinga Read All], the user does not see all hosts, but only hosts included in host group
I found this issue; it’s from 2016 and seems to cover my requirements. So my questions are:
- Is there currently a way to implement what I’m trying to do here?
- If not so: are there any plans to get this ready in Icinga Web 2? What would be needed?
- If not so: will it be possible in the re-designed versions coming soon?
You also can contact me directly if that’s easier for you
Thanks for any hint,