Ad Widget

**Yello** · 10-10-2011, 22:53

Hi,
I give hardly anyone read/write access regardless of their role so I don't have this issue. I wonder consider reorganizing the way you handle permissions and see if that works for you.

How does it work for you if you create template groups and give these users rw access to their specific template domains and ro access to the zabbix hosts and hostgroups? In fact, I think i'll check this out when i get time cos I'm bound to get pressure to give certain users rw access sooner or later.

Regards,
David

**RobertS** · 12-10-2011, 12:59

My Admins need to change profile information and add hosts.This is not possible unless you have rw access to the template linked to the host.

What has the profile information of the host to do with a template?

Another example: It is possible to change the status of the Host (Monitored, Not monitored) by clicking the status-link on the host list, but it is NOT possible to change the status in the update-form on the host.

I understand the technical reason for this, but not the logical.

**Yello** · 12-10-2011, 16:22

Originally posted by RobertS

My Admins need to change profile information and add hosts.This is not possible unless you have rw access to the template linked to the host.

What has the profile information of the host to do with a template?

Another example: It is possible to change the status of the Host (Monitored, Not monitored) by clicking the status-link on the host list, but it is NOT possible to change the status in the update-form on the host.

I understand the technical reason for this, but not the logical.

You seem to be getting annoyed with me. Don't do that otherwise I might get annoyed too.

Investigate using the api to make the types of changes these people need. You might find that some lateral thinking allows you to resolve this issue.

Regards,
David

**RobertS** · 13-10-2011, 13:45

Hi David,

my 2nd post was just some more investigations on the case and clarification on what the problem is. Sorry, don't get annoyed, don't take it personal. I always appreciate someone who wants to help others like you.

I am a little bit disappointed that I can't use the permission system and simply don't understand why there is permission needed on a template to change the ip address or serial number of a host. And I wonder if someone else has the same problem.

I will have a look at the code.

Regards,
Robert

**Yello** · 14-10-2011, 09:18

Hi,
I think the best solution to yor problem is to implement the functionality required by your admins via script and the api; and then lock down the front-end accounts. I would definitely recommend creating and configuring at least your hosts via the api...

I think I've read somewhere that the permissions system will change in the future and become more granular. Until then you need to work around it where it doesn't meet your needs. What I've suggested might help you in that regard or get you thinking in new directions.

Regards,
David

**RobertS** · 17-10-2011, 11:20

Solution found

I found a solution for my problem, which might be "quick and dirty", but it works for me.

The permission error when you click "Save" on "hosts.php" and don't have write-access to a linked template is generated in the "function massAdd" in "class.ctemplate.php". I am no programmer but as I understand the templates are checked here for write-permission (editable) and if not an error is raised. So I simply remarked this line (line 1154 in 1.8.6) :

Code:

foreach($templates as $tnum => $template){
 if(!isset($upd_templates[$template['templateid']])){
[COLOR="red"]//[/COLOR]  self::exception(ZBX_API_ERROR_PERMISSIONS, S_NO_PERMISSION);
 }
}

Another option is to remark the editable-check (line 1148 in 1.8.6):

Code:

$upd_templates = self::get(array(
 'templateids' => $templateids,
[COLOR="red"]//[/COLOR] 'editable' => 1,
 'preservekeys' => 1
));

WARNING: This may have unwanted side-effects and changes the permission system!!!

I checked the following functionality:
Setup: User with right "Zabbix Admin" and RW access for a hostgroup containing some server-hosts he wants to administer; templates in a separate hostgroup managed centrally by "Super Admins" with RO access on this hostgoup for the user

User can link templates to the server-host, he can select the templates he has RO access on
User can "unlink and clear" template, unlink only is denied
User can edit host details, profile, ext. profile for server-host
User can add items to the host
User can see and click on items of the server-host coming from the template and can change the not greyedout parts
User can not edit the item of the template
User can not select the template from "Configuration/Templates", so he can not edit it

Modified setup: The template used is moved from the central templates hostgroup (RO) to the hostgroup of server-hosts (RW) to become a template managed by this user. The template has an other linked templates which are still in the central templates hostgroup (RO) and should not be modified.

User can edit the (his) template
User can not edit the linked template and its items
User can add item to his template and modify existing items
User can link and unlink additional templates from central templates hostgroup

That's exactly what I wanted. If anybody knows what will not work any more after this change - any input is welcome.

Regards,
Robert

**rosangela** · 09-01-2012, 19:35

Cannot link template when Zabbix Admin has read-only access to templates

The mentioned problem occurs from Zabbix frontend version 1.8.5 or upper, which requires to Zabbix Admin Read/Write access to the templates group in order to link templates to a new or existing host.
In Zabbix 1.8.3 it works exactly the way I wanted. The Zabbix Admin needs only ReadOnly access to the templates group and access Read/Write to the hosts groups he wants to.
Please, could someone fix the new versions of Zabbix?

Ad Widget

Permission for (Central) Templates

Permission for (Central) Templates

Comment

Comment

Comment

Comment

Comment

Comment

Comment