update notification contacts as xi user

[smoren]

Hello,

I'm trying to configure Nagios XI user accounts to be able to update/change notification contacts for hosts/services.
Security settings for that user account are as follows:
- Authorization Level - User
- [x] Can (re)configure hosts and services
- [x] Can access advanced features
Other options are unchecked.

This account can see Configure tab under Service Status Detail page and change values in Monitoring tab, but under Notification tab, there are no contacts in Other individual contacts list. When I check Can see all hosts and services for this user, contact list is populated. But this user should not see all hosts and services and still be able to update contacts for services he can see. Can you help me with this?

Is it possible to give user permissions to update his services, but not to create new ones(e.g. hide Configure menu item)? And is it possible to give XI Users permissions just to create new hosts(and not services)?

Finally, one improvement suggestion: please add filter box for Other individual contacts list. This would be useful if you have many contacts...
Thanks.

[bheden]

We'll be updating the descriptions of the options in Security Sections to accurately reflect their actions. For example: "Can see all hosts and services" will be updated to "Can see all objects" or something similar.

In the meantime, we're looking at user permission granularity as a whole, and the possibility of finer tuning - these suggestions will definitely play a part in that discussion. With that being said, there isn't any easy way to work those potential changes into the code base overnight.

Unfortunately, there is no way to limit a user that has permissions to reconfigure objects (hosts/services) and see all objects (hosts/services) to not be able to update contacts for hosts and services he can see. Likewise, if a user has permissions to create new hosts, he has permissions to create new services as well.

These security settings are powerful, and as such we recommend that the user fully understands the power that you are granting them.

Hope this helps.

[smoren]

More granular permissions would be very welcome. For starters, consider creating permission for each tab in sites Configure Service and Configure Host. But I would also consider permissions to update every attribute (or group of attributes). For example, network admins might be able to change only parents and IP addresses of all hosts, but nothing more...
And to make things a little more complicated - limit some permissions to host/service groups...

Probably I wasn't clear about my issue: Users, with permissions I mentioned in 1st post, are not able to update contacts for hosts/services. And I want them to be able to update contacts on services they are authorized for.
So in short - user can reconfigure hosts and services, can access advanced features, can change check interval, can update command associated with that service, can set 'Don't send any notifications', but he is not able to update notification contacts - Other individual contacts list is empty(my observation: this list is populated when user has permission Can see all hosts and services).

Btw. could you please clarify conditions when user can see contact groups or groups(host/service)? I was not able to find correct algorithm

[lmiltchev]

More granular permissions would be very welcome. For starters, consider creating permission for each tab in sites Configure Service and Configure Host. But I would also consider permissions to update every attribute (or group of attributes). For example, network admins might be able to change only parents and IP addresses of all hosts, but nothing more...
And to make things a little more complicated - limit some permissions to host/service groups...

These are all good points. As bheden said: "In the meantime, we're looking at user permission granularity as a whole, and the possibility of finer tuning - these suggestions will definitely play a part in that discussion."

Probably I wasn't clear about my issue: Users, with permissions I mentioned in 1st post, are not able to update contacts for hosts/services. And I want them to be able to update contacts on services they are authorized for.
So in short - user can reconfigure hosts and services, can access advanced features, can change check interval, can update command associated with that service, can set 'Don't send any notifications', but he is not able to update notification contacts - Other individual contacts list is empty(my observation: this list is populated when user has permission Can see all hosts and services).

You were clear about the issue, and we are aware of this limitation. Unfortunately, currently this functionality is not available in XI.

Btw. could you please clarify conditions when user can see contact groups or groups(host/service)? I was not able to find correct algorithm

User can see contact groups that he/she is a member of.

- Added ability for users with "Can (re)configure hosts and services" perms to add/remove contactgroups they are members of when running wizards and reconfiguring objects -SW

https://assets.nagios.com/downloads/nag ... NGES-5.TXT

The user can also see hostgroups/servicegroups, provided he/she is authorized to see all hosts/services, that are members of the hostgroups/servicegroups.

Please, review our documentation on multi-tenancy here:

https://assets.nagios.com/downloads/nag ... enancy.pdf

[smoren]

Thank you for exhaustive answer. So for now, If I want Nagios XI user to update contacts on hosts/services, I have to give him permission Can see all hosts and services, until you correct the issue. We can live with it for a while...

The user can also see hostgroups/servicegroups, provided he/she is authorized to see all hosts/services, that are members of the hostgroups/servicegroups.

This is exactly what I was looking for. Thank you.

I think you can lock this thread now and I'll wait for new version of Nagios XI where these issues will be solved.
Thanks again.

[lmiltchev]

I am glad I could help!