Hello,
Currently I want to evaulate if we could grant customers access to icingaweb2 to allow them to see if their applications, which we are monitoring, are in a healthy state.
The problem is that users, that are restricted to a servicegroup can also see contacts and contactgroups, which could (based on the customer contract) violate data security agreements.
Is there a way to hide/block those kind of information?
Go here and add a role: Configuration > Authentication > Roles
You’re mostly going to see things laid out like they do in the uri. Ctrl+click the ones you want.
The filters past Permissions Set take regular expressions. Keeps an eye on the objects and paths and tweak things here. For example, I have service.vars.**.*,host.vars.**.*,service.vars.*,host.vars.* under monitoring/blacklist/properties to keep my tier3 role from being able to see sensitive information for certain checks.
Thank you for your answer,
With a limited user (permission “module/monitoring” and a servicegroup_name=something filter), I can see the contactgroup icingaadmin and the contacts inside the group. I am using icingaweb2 version 2.6.3
Can you share the service, notification, user configuration from Icinga 2 as well as the settings from Icinga Web 2 in roles.ini to allow reproducing this?
Does it mean it worked in the past (like the screenshots of mfriedrich show), is currently removed and comes again in a release which is only 63% complete at the moment (which means this will taaaake some time…)?
Is there no quick workaround possible to come at least to the state as it worked in the past?
We have to satisfy a customer request and we can’t give the customer access to sensitive contact data.
Restricting a user works very well. The only thing that is currently not possible is to restrict what details a user can see of a contact. (e.g. email, telephone)
This will still not be possible with v2.8 (which btw is soon to be released, the percentage is not an indication of how long it will take) but it’s then possible to completely block access to any contacts or contactgroups. A customer then for example can be blocked from seeing who’s getting notified and who’s not.
thanks for your reply. No I am confused, as you say restricting a user works well.
We created a user for the customer, who should only see a restricted set of machines and a restricted set of services and no contact information at all.
Restricting the hosts and service works fine, but all the contact data which the customer should not see, is visible. This should be empty for a normal user like the screenshots from mfriedrich show, but it isn’t. It shows all contacts which are in use for the restricted set of hosts and their contact details.
Isn’t that what I described? That’s working as it should. It’s working since the user can only see those contacts which are in use for the restricted set of hosts. But no other contacts.
Wait for v2.8, apply the permission no-monitoring/contacts to the user’s role and that’s it.