Ad Widget

Collapse

Permission enherting doesn't work correctly

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • qix
    Senior Member
    Zabbix Certified SpecialistZabbix Certified Professional
    • Oct 2006
    • 423
    #1

    Permission enherting doesn't work correctly

    When a user is assigned "Zabbix Super Admin" rights and added to the Zabbix administrators group, the user has full read/write permissions.
    However, when the user is added to a group that has only read rights, these rights override the Zabbix admin rights.

    It doesn't matter to which group the user is first added, the lower rights override the higher rights.

    reported in ZBX-240
    With kind regards,

    Raymond
    Tags: None
    • Aly
      ZABBIX developer
      • May 2007
      • 1126
      #2
      There is nothing wrong in my opinion.
      Zabbix | ex GUI developer

        Comment

        • qix
          Senior Member
          Zabbix Certified SpecialistZabbix Certified Professional
          • Oct 2006
          • 423
          #3
          So your saying this behavior is "as designed"?

          I use the group to send SMS and email alerts to.
          If a user is also a Zabbix administrator that needs to receive sms alerts for the windows administrators group, I need to make a separate account for this.

          On a side note, company policy doesn't allow for generic administrator accounts. We need to be able to track down changes to a person.
          With kind regards,

          Raymond

            Comment

            • qix
              Senior Member
              Zabbix Certified SpecialistZabbix Certified Professional
              • Oct 2006
              • 423
              #4
              Aly, could you please answer my question?

              To anyone who knows:

              Also, I'm trying to setup a "monitoring user" witch needs to have read-only access to everything, but can't change eanything.

              First I selected the node read-only, but then the user was still denied access to all the host groups (and thus, the hosts).

              Then I added all host groups to read-only (not very handy imo).

              The user is now able to open the overview screen and see the latest data, but it cannot see graphs nor can it see the active triggers in the "active triggers" screen

              How can I solve this?
              With kind regards,

              Raymond

                Comment

                • qix
                  Senior Member
                  Zabbix Certified SpecialistZabbix Certified Professional
                  • Oct 2006
                  • 423
                  #5
                  Making the user a Zabbix Admin, enables the screens
                  With kind regards,

                  Raymond

                    Comment

                    • Aly
                      ZABBIX developer
                      • May 2007
                      • 1126
                      #6
                      Must be some item belongs to host on which user doesn't have permissions. User can see all screens/slide shows if he has needed permissions.
                      Zabbix | ex GUI developer

                        Comment

                        • tighep
                          Senior Member
                          • Dec 2007
                          • 124
                          #7
                          Originally posted by Aly
                          There is nothing wrong in my opinion.

                          I would disagree. Why is it configured to take the lowest possible permissions when I have specifically granted that user more permissions. A practical example from my case. Our UNIX admin group is 6 people, only two of us have any experience working with the hosts/items/triggers inside of Zabbix. The others have no interest, and just want to see the maps and graphs. If I add the two admin users to the UNIX admin group, for easier group emailing, we lose write access. It makes the groups less granular, and makes emailing specific groups much more difficult if one of the users is an admin. I would like to see Zabbix inheret the highest permissions that have been granted, not the lowest.

                            Comment

                            • qix
                              Senior Member
                              Zabbix Certified SpecialistZabbix Certified Professional
                              • Oct 2006
                              • 423
                              #8
                              I agree, I expected the user rights to work exactly that way
                              With kind regards,

                              Raymond

                                Comment

                                Previous template Next
                                Working...