I'm confused about Zabbix' current user group implementation where read-only access is overriding read/write access.
I have a scenario where I have a NOC group and an Admin group.
The NOC group is for monitoring only. The people here should only be able to view status and receive alerts when something is wrong and as such only has read-only access to most hostgroups.
The Admin group should not receive alerts unless NOC fails to react in time but may edit certain hostgroups and create new hosts.
Now, I have a NOC member which is made head of NOC and is added to the Admin group. But the NOC group's read-only access permissions overrides the Admin group's read/write permissions so the user can't do more now than before adding him to the Admin group. So I have to remove the user from the NOC group which then prevents the user from getting the alerts which are only sent to the NOC group. As such I have to create specific actions for just this user or create a third "NOC + Admin" group to remedy this which kind of defeats the purpose with multiple groups.
In my opinion, explicit read/write access should always override read-only access. If neither read/write nor read-only access is given, it should automatically deny access. No need for explicitly denying access, IMHO.
I have a scenario where I have a NOC group and an Admin group.
The NOC group is for monitoring only. The people here should only be able to view status and receive alerts when something is wrong and as such only has read-only access to most hostgroups.
The Admin group should not receive alerts unless NOC fails to react in time but may edit certain hostgroups and create new hosts.
Now, I have a NOC member which is made head of NOC and is added to the Admin group. But the NOC group's read-only access permissions overrides the Admin group's read/write permissions so the user can't do more now than before adding him to the Admin group. So I have to remove the user from the NOC group which then prevents the user from getting the alerts which are only sent to the NOC group. As such I have to create specific actions for just this user or create a third "NOC + Admin" group to remedy this which kind of defeats the purpose with multiple groups.
In my opinion, explicit read/write access should always override read-only access. If neither read/write nor read-only access is given, it should automatically deny access. No need for explicitly denying access, IMHO.
Comment