CCM Limited Not Inheriting from Host Groups

[onetruebob74]

Hello again. Now that I have the errors I was encountering with XI after upgrading dealt with, I'm encountering what I can only assume is an error in the permissions logic.

One of the big features we are wanting to make use of in 5.5 is the ability to have a limited role inside of CCM. I have been playing around and seem to have encountered a problem with having permission to view certain services.

I have a contact by the name of bobtest
I have a contactgroup with name EA-Admins
I have a hostgroup named ea-servers
I have several servers that are in the ea-servers group.

If I login as user bobtest with Limited CCM roles, all permissions granted other than for the Tools at bottom, I can go to CCM -> Services and add a new service.

If I attach that service directly to a host that bobtest is a contact for or is in a contactgroup attached to that host, bobtest can continue to see the defined service in CCM.

If I take a previously created service and add it to a host that bobtest is a contact for or is in a contactgroup attached to that host, bobtest can continue to see the defined service in CCM.

However, if I do not attach that service directly to a host, but instead attach it to a hostgroup that contains hosts that bobtest is a contact for or is in an attached contactgroup of which bobtest is a member, bobtest can no longer see that service in CCM.

In fact, if I attach the EA-Admins contactgroup directly to the defined service or even attach the bobtest contact directly to the service, bobtest still cannot see the service in CCM.

It seems the only inheritance is by having the contact or contactgroup of which the contact is a member directly attached to a host that the defined service is also directly attached. If this is by design it severely undermines the value of this functionality. If it isn't by design, then do you have any ideas as to what I am missing here?

FYI this is Nagios XI 5.5.2 running on a CentOS 7.5 system with a local MariaDB backend.

[scottwilkerson]

This was never intended behavior for limited access. For this type of editing you need full access.

If it was available with limited access, you would be allowing this restricted user the ability to change services that could be applied to hundreds of hosts which this user doesn't have access to.

[onetruebob74]

Might I request that this feature be considered as an option. If you allowed this sort of inheritence you would basically have the ability to have multiple tenants. As long as objects were kept completely seperate at the initial setup, only a full admin would have the ability to cross the streams per se. If everyone was using a form of limited they would only see their own stuff and allow to truly have multiple groups have complete control of there own stuff. If you were to implement something like this as an option I think it would really benefit many of your customers.

In the meantime, I guess one potential workaround is to have a dummy host that has checks for all services turned off for that group that all services get assigned to along with the limited admins for the group to ensure they can always see items under their purview.

[scottwilkerson]

I will submit it as a feature request.