Hello,
I have a question about optimizing notifications when users and user groups (UG) are managed via SAML (Entra).
Before implementing SAML, I used a straightforward approach: I created users, assigned them to user groups, and then attached notifications to those groups. I stopped assigning notifications directly to users a long time ago.
With SAML, the situation has become more complicated:
The problem arises with notifications:
I have around 30 notifications, each tied to a different user group. However, users created via SAML JIT provisioning cannot be manually added to Zabbix user groups. Does this mean I need to create another 30 groups in Entra and effectively delegate the entire RBAC model to the O365/Azure team?
From this, it seems the RBAC model must follow these rules:
I currently see two possible approaches:
Option A: Everyone sees everything
Option B: NOTIFY groups also define visibility of monitored objects and metrics
How are you handling this in your environments?
I have a question about optimizing notifications when users and user groups (UG) are managed via SAML (Entra).
Before implementing SAML, I used a straightforward approach: I created users, assigned them to user groups, and then attached notifications to those groups. I stopped assigning notifications directly to users a long time ago.
With SAML, the situation has become more complicated:
- Everything is managed automatically by SAML (Entra).
- I have 10 SAML groups mapped to corresponding Zabbix user groups, each with a specific role derived from the three base roles.
The problem arises with notifications:
I have around 30 notifications, each tied to a different user group. However, users created via SAML JIT provisioning cannot be manually added to Zabbix user groups. Does this mean I need to create another 30 groups in Entra and effectively delegate the entire RBAC model to the O365/Azure team?
From this, it seems the RBAC model must follow these rules:
- When multiple SAML mappings apply, Zabbix evaluates the base role type first. The higher base role wins. If roles share the same base type, the more restrictive (weaker) role is selected.
- All baseline users without notifications will have the ZBX ReadOnly role.
- All NOTIFY groups should map to the same neutral role, ideally the lowest usable one (ZBX ReadOnly).
- SAML controls both the assignment to base Zabbix groups/roles and to NOTIFY groups/roles, ensuring conflict-free permission management.
I currently see two possible approaches:
Option A: Everyone sees everything
- Metrics are not considered sensitive within the company, so all users can see everything. The open question is how to handle external users — I have not received clear guidance from management.
- Notification groups with users assigned in Entra would then effectively act as pure Exchange distribution lists.
Option B: NOTIFY groups also define visibility of monitored objects and metrics
- Visibility of hosts is determined by Zabbix user groups mapped from SAML groups (e.g., SAML IIS → ZBX IIS).
- However, this significantly increases the number of groups from a permissions perspective. For example, for IIS I would need SAML groups like: SAML IIS Admin, SAML IIS Operator L2, SAML IIS Operator L1, SAML IIS ReadOnly — and similarly for MS SQL, RabbitMQ, LAN/WAN, etc.
How are you handling this in your environments?