This is strange. I tried all sorts of different combinations of check box setting to give a user the ability to ack. None worked. Finally, I gave the user admin rights. Still can't ack.
So what's the secret to users other than nagiosadmin being able to ack (ideally w/o being able to do much more).
Yes, I just read Understanding-Nagios-XI-User-Rights.pdf.
User rights to ack
-
jdalrymple
- Skynet Drone
- Posts: 2620
- Joined: Wed Feb 11, 2015 1:56 pm
Re: User rights to ack
The "secret" is that the user needs to get stuffed into /usr/local/nagios/etc/cgi.cfg
This is handled when the user is created/modified in theory. Can you take a look at that file, and in particular the following line:
This is handled when the user is created/modified in theory. Can you take a look at that file, and in particular the following line:
Code: Select all
authorized_for_all_host_commands=nagiosadmin
authorized_for_all_service_commands=nagiosadminRe: User rights to ack
kgorman is the user I'm testing. Its set to admin.
As that user, under Quick Actions it says no actions are available.
# grep authorized /usr/local/nagios/etc/cgi.cfg
authorized_for_all_host_commands=nagiosadmin,nagiosadmin
authorized_for_all_hosts=nagiosadmin,nagiosadmin,guest,kgorman
authorized_for_all_service_commands=nagiosadmin,nagiosadmin
authorized_for_all_services=nagiosadmin,nagiosadmin,guest,kgorman
authorized_for_configuration_information=nagiosadmin,nagiosadmin,guest,kgorman
authorized_for_system_commands=nagiosadmin,nagiosadmin
authorized_for_system_information=nagiosadmin,nagiosadmin
authorized_for_read_only=guest,kgorman,vzw.net.cdsp-ops,vzw.net.cdsp-sms
Maybe authorized_for_read_only overrides authorized_for_all_hosts/services.
As that user, under Quick Actions it says no actions are available.
# grep authorized /usr/local/nagios/etc/cgi.cfg
authorized_for_all_host_commands=nagiosadmin,nagiosadmin
authorized_for_all_hosts=nagiosadmin,nagiosadmin,guest,kgorman
authorized_for_all_service_commands=nagiosadmin,nagiosadmin
authorized_for_all_services=nagiosadmin,nagiosadmin,guest,kgorman
authorized_for_configuration_information=nagiosadmin,nagiosadmin,guest,kgorman
authorized_for_system_commands=nagiosadmin,nagiosadmin
authorized_for_system_information=nagiosadmin,nagiosadmin
authorized_for_read_only=guest,kgorman,vzw.net.cdsp-ops,vzw.net.cdsp-sms
Maybe authorized_for_read_only overrides authorized_for_all_hosts/services.
Re: User rights to ack
I don't understand how you can set up a user with rights to submit commands (enable/disable notifications, acknowledge problems, etc.) AND to set it with "read-only" rights at the same time? This is not possible.
In our "Understanding-Nagios-XI-User-Rights.pdf" document we explain what the "Has read-only access" setting means:
In our "Understanding-Nagios-XI-User-Rights.pdf" document we explain what the "Has read-only access" setting means:
This option removes the user's ability to submit commands (e.g. disable notifications) for hosts and services and prevents them from re-configuring existing or adding new hosts and services.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: User rights to ack
You don't seem to understand the situation.
The user is set to have admin rights only.
What rights (as in checked boxes) does a user need to ack?
The user is set to have admin rights only.
What rights (as in checked boxes) does a user need to ack?
Re: User rights to ack
It should just be the Can control all hosts and services option.
I gave a user just that and Can see all hosts and services and I was able to acknowledge. I removed Can see all hosts and services and was still able to acknowledge problems for which the user is a contact. In cgi.cfg with just Can control all hosts and services enabled in the interface, the user showed up for authorized_for_all_host_commands and authorized_for_all_service_commands.
So to answer your question directly:
HOWEVER. If I also check the Read-only box is also checked, then the ack option will not be available, and cgi.cfg will has that user in authorized_for_all_host_commands and authorized_for_all_service_commands as well as authorized_for_read_only, so your suspicions about Read-only overwriting the rest appear to be correct.
I gave a user just that and Can see all hosts and services and I was able to acknowledge. I removed Can see all hosts and services and was still able to acknowledge problems for which the user is a contact. In cgi.cfg with just Can control all hosts and services enabled in the interface, the user showed up for authorized_for_all_host_commands and authorized_for_all_service_commands.
So to answer your question directly:
It would appear that Can control all hosts and services is what needs to be checked.gormank wrote:What rights (as in checked boxes) does a user need to ack?
HOWEVER. If I also check the Read-only box is also checked, then the ack option will not be available, and cgi.cfg will has that user in authorized_for_all_host_commands and authorized_for_all_service_commands as well as authorized_for_read_only, so your suspicions about Read-only overwriting the rest appear to be correct.
Former Nagios employee
Re: User rights to ack
I was typing a reply when I saw tmcdonald's answer. I will post my answer as well as I included a couple of screenshots for clarity.
In your case, "kgorman" is listed on the "authorized_for_read_only" line and it shouldn't be there (if it is an admin user). I am not sure why it is there...
User "john" doesn't have any issues with acknowledging the problems.
When a user is set as "Admin" all of the security settings are selected by default but "has read-only access". Here's an example of a "test" user set as "Administrator".You don't seem to understand the situation.
The user is set to have admin rights only.
Code: Select all
grep test /usr/local/nagios/etc/cgi.cfg
authorized_for_all_host_commands=nagiosadmin,test,nagiosadmin
authorized_for_all_hosts=nagiosadmin,test,nagiosadmin
authorized_for_all_service_commands=nagiosadmin,test,nagiosadmin
authorized_for_all_services=nagiosadmin,test,nagiosadmin
authorized_for_configuration_information=nagiosadmin,test,nagiosadmin
authorized_for_system_commands=nagiosadmin,test,nagiosadmin
authorized_for_system_information=nagiosadmin,test,nagiosadminIt needs "authorized_for_all_hosts" and "authorized_for_all_services" ("Can control all hosts and services"). For example, I created a new user ("john") who "can see all hosts and services" and "can control all hosts and services".What rights (as in checked boxes) does a user need to ack?
Code: Select all
grep john /usr/local/nagios/etc/cgi.cfg
authorized_for_all_host_commands=nagiosadmin,test,nagiosadmin,john
authorized_for_all_hosts=nagiosadmin,test,nagiosadmin,john
authorized_for_all_service_commands=nagiosadmin,test,nagiosadmin,john
authorized_for_all_services=nagiosadmin,test,nagiosadmin,john
authorized_for_configuration_information=nagiosadmin,test,nagiosadmin,johnYou do not have the required permissions to view the files attached to this post.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: User rights to ack
I tested and that looks good.
Thanks and please close.
Thanks and please close.