Multi-tenancy issue!!!

Post by **BanditBBS** » Thu Feb 25, 2016 3:59 pm

I was just giving a demo in join.me to a customer and I masqueraded as her. Everything was fine until I clicked on the "Scheduled Downtime" link. It shows everything for all customers!

Can someone else verify this is not just something screwy in my environment.

rkennedy · Post by **rkennedy** » Thu Feb 25, 2016 4:02 pm

Was she an admin, or user - and, what privileges does she have enabled?

A screenshot of her 'Edit User' page will work to answer this. I'll try to replicate it on my end.

Also - what version of XI are you on currently?

Post by **BanditBBS** » Thu Feb 25, 2016 4:14 pm

Capture.PNG

XI 5.2.1

rkennedy · Post by **rkennedy** » Thu Feb 25, 2016 4:52 pm

I can confirm, that with those privileges a user can see all OTHER scheduled downtime. When they try to schedule host downtime, it will only allow them to host / services they have access to.

Is this what you were referring to?

Post by **BanditBBS** » Thu Feb 25, 2016 5:05 pm

Yeah, they shouldn't be able to see the other downtimes. They don't have permissions to see those items anywhere else within Nagios except on that downtime page.

Post by **lmiltchev** » Thu Feb 25, 2016 5:42 pm

I was also able to recreate the issue, and I believe this is a bug. I filed an internal bug report (TASK ID 7876).

Nagios Support Forum

Multi-tenancy issue!!!

Multi-tenancy issue!!!

Re: Multi-tenancy issue!!!

Re: Multi-tenancy issue!!!

Re: Multi-tenancy issue!!!

Re: Multi-tenancy issue!!!

Re: Multi-tenancy issue!!!