Ad Widget

**cyber** · 27-02-2024, 13:01

Looks like you have not missed anything... that's how it works..

It does look a bit weird... but at least they cannot update their type .. :P
You can submit a bugreport, if you think it is a bug.. https://support.zabbix.com/browse/ZBX (in a way I think it is... user.create with usrgrp adding is given to superadmins, but change of groups for everyone, does not compute too well...)

**Stephen378Baker** · 28-02-2024, 06:28

Originally posted by barney-s

Hi,

I'm creating user to access Zabbix via the API. The user needs to be fairly limited in what it can do - I have that all working OK using a combination of user roles and user groups.

I need the user to be able to change its password via the API. The obvious way to do this seems to be to grant access to "user.update" via the "API methods Allow list" in the role. That works - the user can call "user.update" with their current password and set a new password.

The problem is that they can also change "usrgrps", allowing them to escalate privileges (by adding themselves to other user groups).

Am I missing something? Is there some other way to allow a use to change only their password via the API?

Thanks,

Barney

Hellobarney-s,

Thank you for reaching out! It’s great that you’re configuring user access via the Zabbix API. Let’s address your concern about allowing users to change their password while preventing them from modifying user groups.

The user.update method in the Zabbix API indeed allows you to update existing users, including changing passwords. However, as you’ve observed, it also permits users to modify their associated user groups, which can lead to unintended privilege escalation.

To achieve your goal of allowing users to change their password without granting them the ability to alter user groups, consider the following approach: DogLikesBest

Custom Script or Middleware:
Instead of directly using the user.update method, create a custom script or middleware that handles password changes.
In this custom logic, validate the user’s current password and enforce the password policy rules.
By doing so, you can ensure that users can only change their own passwords without affecting other properties.
Role-Based Permissions:
Review the permissions assigned to the user roles.
While granting access to user.update, consider removing permissions related to modifying user groups (such as usrgrps).
This way, users can change their passwords but won’t have the ability to manipulate user groups.
User Group Separation:
Organize user groups carefully to prevent accidental privilege escalation.
Create separate user groups for different levels of access (e.g., read-only users, administrators, etc.).
Assign users to appropriate groups based on their responsibilities.
Remember that security is crucial, especially when dealing with user privileges. By combining the above strategies, you can allow password changes while maintaining control over user group modifications.

If you encounter any further issues or need additional assistance, feel free to ask. Good luck with your Zabbix setup!

Thanks

**cyber** · 28-02-2024, 10:51

What the hell is that? ... long talk and only thing to suggest is something, that is not possible...

While granting access to user.update, consider removing permissions related to modifying user groups (such as usrgrps).

Ad Widget

Zabbix API - allowing user to change password but not user groups (user.update)

Zabbix API - allowing user to change password but not user groups (user.update)

Comment

Comment

Comment