I guess this is https://github.com/Icinga/icingaweb2/issues/2455
-Gerald On 13/02/2017 12:48, Valentin Höbel wrote:
Dear list, I have a couple of questions regarding Icingaweb2 and the way permissions, roles and filters are applied. (a) Let's say I have a couple of users, groups for them and roles because different Ops teams are working with Icinga2. Each Ops team shall only change the objects they are responsible for (e.g. tomcat servers), while they should be able to see all objects within Icinga2 at the same time. This is something which could be useful when there are issues within the infrastructure and their servers/services are affected. They should be able to see if only their stuff is affected or if the whole infrastructure goes down (or some network hardware in the neighbourhood, for example). How do I apply roles and filters correctly then? In my case, I tried to create the role "tomcat admins", allowed access to module/monitoring (e.g. with filter host_name=*) and then added e.g. the permission to delete downtimes for hosts and services (monitoring/command/downtime/delete). I can't add another filter here only applying to this second permission set, since a filter is already set and always seems to refer to all selected permissions. So I guess I can't do what I need within one role, am I correct? In my opinion, filters, blacklists etc. should always come in pair with a permission set, so you can set filters individually for each selected permission. (b) I tried something else afterwards. I added role "sees-everything" which basically grants access to all monitoring objects and then added another role called "tomcat admins" which has a filter on host_name=tomcat* and the permission set monitoring/command/downtime/delete. Now, when I apply both roles to the same set of users, the result is unexpected. Instead of all permissions with their filters being "merged" correctly, the strongest filter (host_name=*) was applied and the users can delete downtimes for all hosts (not only for those starting with "tomcat"). Is this an expected behaviour? Did you guys encounter something similar? Or am I reading the documentation wrong and this is supposed to happen? I am thankful for every input! Best regards Valentin
_______________________________________________ icinga-users mailing list icinga-users@lists.icinga.org https://lists.icinga.org/mailman/listinfo/icinga-users
