Sidebar

manual:web_interface:frontend_sections:administration:user_roles

5 User roles

Overview

In the Administration → User roles section roles that can be assigned to system users and specific permissions for each role are maintained.

Default user roles

By default, Zabbix is configured with four user roles, which have a pre-defined set of permissions:

  • Admin role
  • Guest role
  • Super admin role
  • User role

Default Super admin role cannot be modified or deleted, because at least one Super admin user with unlimited privileges must exist in Zabbix.

Zabbix users with type Super admins and proper permissions can modify or delete existing roles or create new custom roles.

To create a new role, click on the Create user role button at the top right corner. To update an existing role, press on the role name to open the configuration form.

Available permission options along with default permission sets for pre-existing user roles in Zabbix are described below.

ParameterDescription Default user roles
Super admin roleAdmin roleUser roleGuest role
Name Role visible name. Super admin role Admin role User role Guest role
User type Selected user type determines the list of available permissions.
Upon selecting a user type, all available permissions for this user type are granted by default.
Uncheck the checkbox(es) to revoke certain permissions for the user role.
Checkboxes for permissions not available for this user type are greyed out.
Super admin Admin User User
Access to UI elements
Monitoring
DashboardEnable/disable access to a specific Monitoring menu section and underlying pages. Yes Yes Yes Yes
Problems
Hosts
Overview
Latest data
Screens
Maps
Discovery No No
Services Yes Yes
Inventory
OverviewEnable/disable access to a specific Inventory menu section and underlying pages. Yes Yes Yes Yes
Hosts
Reports
System informationEnable/disable access to a specific Reports menu section and underlying pages. Yes No No No
Availability report Yes Yes Yes
Triggers top 100
Audit No No No
Action log
Notifications Yes
Configuration
Host groupsEnable/disable access to a specific Configuration menu section and underlying pages. Yes Yes No No
Templates
Hosts
Maintenance
Actions
Event correlation No
Discovery Yes
Services
Administration
General Enable/disable access to a specific Administration menu section and underlying pages. Yes No No No
Proxies
Authentication
User groups
User roles
Users
Media types
Scripts
Queue
Default access to new UI elementsEnable/disable access to the custom UI elements. Modules, if present, will be listed below. Yes Yes Yes Yes
Access to modules
<Module name>Allow/deny access to a specific module. Only enabled modules are shown in this section. It is not possible to grant or restrict access to a module that is currently disabled. Yes Yes Yes Yes
Default access to new modulesEnable/disable access to modules that may be added in the future.
Access to API
Enabled Enable/disable access to API.YesYesYesNo
API methodsSelect Allow list to allow only specified API methods or Deny list to restrict only specified API methods.

In the search field, start typing the method name, then select the method from the auto-complete list.
You can also press the Select button and select methods from the full list available for this user type. Note, that if certain action from the Access to actions block is unchecked, users will not be able to use API methods related to this action.

Wildcards are supported. Examples: dashboard.* (all methods of 'dashboard.' API service) * (any method), *.export (methods with '.export' name from all API services).

If no methods have been specified the Allow/Deny list rule will be ignored.
Access to actions
Create and edit dashboards and screens Clearing this checkbox will also revoke the rights to use .create, .update and .delete API methods for the corresponding elements. Yes Yes Yes No
Create and edit maps
Create and edit maintenance No
Add problem comments Clearing this checkbox will also revoke the rights to perform corresponding action via event.acknowledge API method. Yes
Change severity
Acknowledge problems
Close problems
Execute scriptsClearing this checkbox will also revoke the rights to use the script.execute API method.
Default access to new actions Enable/disable access to new actions.

Notes:

  • Each user may have only one role assigned.
  • If an element is restricted, users will not be able to access it even by entering a direct URL to this element into the browser.
  • Users of type User or Admin cannot change their own role settings.
  • Users of type Super admin can modify settings of their own role (not available for the default Super admin role), but not the user type.
  • Users of all levels cannot change their own user type.

See also: