Security and Authentication
Multiple authentication methods
Zabbix web frontend supports several authentication methods:
- Internal database
- HTTP basic authentication
- LDAP authentication
If LDAP is used as authentication method and it becomes unavailable for any reason, user groups still may use internal authentication to access the Zabbix web frontend.
Encryption between Zabbix components
With encryption support it is possible to secure communications between separate Zabbix components (such as Zabbix server, proxies, agents and command-line utilities) using Transport Layer Security (TLS) protocol v.1.2. Certificate-based and pre-shared key-based encryption is supported. Encryption is optional and configurable for individual components.
Zabbix has a flexible user permission schema, which can be efficiently used to manage user permissions within one Zabbix installation or in a distributed environment.
Zabbix supports several types of users. User types are used to define access to administrative functions and to specify default permissions.
|Zabbix User||The user has access to Monitoring menu. The user has no access to any resources by default. Permissions to host groups must be explicitly assigned.|
|Zabbix Admin||The user has access to Monitoring and Configuration. The user has no access to any host groups by default. Permissions to host groups must be explicitly given.|
|Zabbix Super Admin||The user has access to everything: Monitoring, Configuration and Administration. The user has a read-write access to all host groups. Permissions cannot be revoked by denying access to specific host groups.|
Granting access to hosts
Permissions are granted to user groups on a host group level. Thus access to a host depends on what kind of permissions the user group has for the host group the host belongs to.
There are three kinds of permissions to access hosts or host groups:
- Read-write – a read-write access
- Read-only – a read-only access
- Deny – access denied
A screenshot below gives an overall idea of how easy it is to assign user permissions for hosts or host groups.
Permissions are granted by adding a host group to the respective access level (RW/RO/denied).