Is it true that it's currently not possible to set up complementing user
roles, i.e. assign two or more roles to a user and the user can do what
either role can do but not mix everything up as it seems it the moment?
For example something like this:
[view-only]
permissions = "module/doc, module/monitoring"
users = "testuser"
[dev-admin]
permissions = "monitoring/command/acknowledge-problem,
monitoring/command/remove-acknowledgement, monitoring/command/comment/*,
monitoring/command/downtime/*, monitoring/command/send-custom-notification"
users = "testuser"
monitoring/filter/objects = "host_name=dev*"
Role view-only allows to view all hosts. Role dev-admin allows to ack,
comment, do downtimes on all hosts named "dev*".
Thus I would like to see user "testuser" to do exactly what those two
roles should allow.
However, at the moment it seems as if icingaweb2 tries to "combine"
filters and permissions if the user has multiple roles. Currently, with
the configuration above, "testuser" can only see all hosts named "dev*"
but not all others.
If I add a
monitoring/filter/objects = "*"
to the view-only role, I can see all hosts but now it seems all
permissions are applied, i.e. I can acknowledge any host not only those
named "dev*".
This seems not very useful to me. If I had a role which gives me all
permissions on a single host and another role which gives me
"module/monitoring" on all hosts I would get every possible permission
on all hosts. That has nothing to do with those original roles and what
they "meant" when I defined them.
Am I missing something here or is this really how it works at the moment?
Thanks,
Gerald
_______________________________________________
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users
