Restrict visibility of some objects

Hello,
Currently I want to evaulate if we could grant customers access to icingaweb2 to allow them to see if their applications, which we are monitoring, are in a healthy state.
The problem is that users, that are restricted to a servicegroup can also see contacts and contactgroups, which could (based on the customer contract) violate data security agreements.

Is there a way to hide/block those kind of information?

There is. Test is aggressively with dummy users.

Go here and add a role: Configuration > Authentication > Roles

You’re mostly going to see things laid out like they do in the uri. Ctrl+click the ones you want.

The filters past Permissions Set take regular expressions. Keeps an eye on the objects and paths and tweak things here. For example, I have service.vars.**.*,host.vars.**.*,service.vars.*,host.vars.* under monitoring/blacklist/properties to keep my tier3 role from being able to see sensitive information for certain checks.

More info here: https://icinga.com/docs/icingaweb2/latest/doc/06-Security/#security-roles

1 Like

Thank you. That way I can hide a lot of unnecessary information for customers, but how can I hide contacts?

Hi,

contact* is hidden from limited access by default. Just ensure to grant access to the monitoring module and apply the host/service filters.

Below is just a 5 minutes test done inside the Icinga Vagrant box “standalone”.

Role

View

Admin

Restricted User

Conclusion

This is hidden by default being a privacy risk, there is no way to filter and whitelist specific list items there.

Cheers,
Michael

Thank you for your answer,
With a limited user (permission “module/monitoring” and a servicegroup_name=something filter), I can see the contactgroup icingaadmin and the contacts inside the group. I am using icingaweb2 version 2.6.3

Can you share the service, notification, user configuration from Icinga 2 as well as the settings from Icinga Web 2 in roles.ini to allow reproducing this?

sure: icinga2-config.zip (2.9 KB)

Hello DNSMICHI,

we are using the following versions.

Icinga2 2.11.2-1
Icinga Web 2 Version 2.7.3
Icinga2 Director 1.7.2

Is it possible that viewing the contacts is not hidden anymore in this version for non-Admin users?

We found no way to hide it.

Kind regards,
Oliver

1 Like

There will be a new permission available with Icinga Web 2 2.8

Then any contact(group) information can be blocked for particular roles.

2 Likes

Hello nilmerg,

thanks for your reply.

Does it mean it worked in the past (like the screenshots of mfriedrich show), is currently removed and comes again in a release which is only 63% complete at the moment (which means this will taaaake some time…)?

Is there no quick workaround possible to come at least to the state as it worked in the past?
We have to satisfy a customer request and we can’t give the customer access to sensitive contact data.

Kind regards,
Oliver

Restricting a user works very well. The only thing that is currently not possible is to restrict what details a user can see of a contact. (e.g. email, telephone)

This will still not be possible with v2.8 (which btw is soon to be released, the percentage is not an indication of how long it will take) but it’s then possible to completely block access to any contacts or contactgroups. A customer then for example can be blocked from seeing who’s getting notified and who’s not.

Hello nilmerg,

thanks for your reply. No I am confused, as you say restricting a user works well.

We created a user for the customer, who should only see a restricted set of machines and a restricted set of services and no contact information at all.

Restricting the hosts and service works fine, but all the contact data which the customer should not see, is visible. This should be empty for a normal user like the screenshots from mfriedrich show, but it isn’t. It shows all contacts which are in use for the restricted set of hosts and their contact details.

How can we disable that?

Kind regards,
Oliver

This is exactly what I can reproduce at my icinga2 instances.

Isn’t that what I described? That’s working as it should. It’s working since the user can only see those contacts which are in use for the restricted set of hosts. But no other contacts.

Wait for v2.8, apply the permission no-monitoring/contacts to the user’s role and that’s it.

Ok, thanks for clarifying, nilmerg!

When, do you think, will 2.8 be released?

Kind regards,
Oliver

1 Like

An RC is planned next week.

1 Like