I'm still new to the Zabbix world, only about 6 months in, so this may be a design function of the system but it seems like a loophole to me....
We've setup accounts for each of the admin roles in the shop. For example, network admin, windows server admin, unix admin, etc....
Each admin is setup with a Zabbix Admin (not Zabbix Super Admin) account. Their account is setup with full rights to their host group (Network Devices, Win Servers, Unix Servers). This way they can add devices, remove devices, change items, change triggers etc... They cannot see or modify each others groups at all.
So far so good and everything works great.
Loophole time. Under Host Groups they are able to create new groups even though they only have rights to their own group. So since they only have rights to the Host Group with their devices and templates in it, they cannot see, edit, remove or do anything with the new group they have created....
If the accounts are set to only Zabbix User accounts they cannot access the Configuration options....
We need each section to be able to maintain their devices without causing grief to any other group.... Is there an option we can use that says "if account XYZ creates a new host group, they automatically get full rights to the group they just created?"
Or.... Zabbix Admin accounts can't create new Host Groups since they won't have rights to change anything in them anyway?
thoughts?
We've setup accounts for each of the admin roles in the shop. For example, network admin, windows server admin, unix admin, etc....
Each admin is setup with a Zabbix Admin (not Zabbix Super Admin) account. Their account is setup with full rights to their host group (Network Devices, Win Servers, Unix Servers). This way they can add devices, remove devices, change items, change triggers etc... They cannot see or modify each others groups at all.
So far so good and everything works great.
Loophole time. Under Host Groups they are able to create new groups even though they only have rights to their own group. So since they only have rights to the Host Group with their devices and templates in it, they cannot see, edit, remove or do anything with the new group they have created....
If the accounts are set to only Zabbix User accounts they cannot access the Configuration options....
We need each section to be able to maintain their devices without causing grief to any other group.... Is there an option we can use that says "if account XYZ creates a new host group, they automatically get full rights to the group they just created?"
Or.... Zabbix Admin accounts can't create new Host Groups since they won't have rights to change anything in them anyway?
thoughts?