Nagios Support Forum

HI

is there any way to restrict user from seeing specific devices.

https://assets.nagios.com/downloads/nag ... Rights.pdf
https://assets.nagios.com/downloads/nag ... ios-XI.pdf

Should be all you need, but let us know if you have more specific questions about it!

that is exactly what I need. however I don; want to go to each host and add the contact or contact group that I want this user to have access to.

I want this be done via host group. meaning that I want to link host group to contact group and contact group should be link to contact. how do I do this

Hi bosecorp,

Unfortunately this is a "shortcoming" of Nagios Core. In order to know how all the objects interact, the reference (which I probably have shared with you before and if so I apologize for the redundancy) is here: https://assets.nagios.com/downloads/nag ... tions.html

hostgroups can't contain contacts or contactgroups. So the linkage for this would be a template.

Host template has hostgroup and contact(or contactgroup) defined.

Again with the apology in advance for sounding preachy in the event that I've said this before:

Templates are what you use to avoid duplicating you object definition efforts
Hostgroups are only used for connecting hosts and services together

In your case, I believe you have enterprise options so you might be best serviced at this point using the bulk mod tool to rework all of your hosts.

On a sidenote - could you reply to our "orphan" ticket and update me on how things are going? Did the nasty worker situation get resolved, and additionally are you still wanting to upgrade?

Thanks!

Thanks JR for your response.

I am not clear on the host template. I am going to read a little more about that. I have not used that before. will I able to accomplish what I want, if use host template. Also the little things I know about I know about doing it from the host level or even from the host template level is that would affect how alerting works. All my host are configured so that alerts get send to my NOC email address. So only one contact is configured in each device. From there I used host escalation to alert everybody else based on specific parameters I have. So, if I add contact group at the host level, then that means the first who will get the alert is whoever is on that contact group and I don't want that. the reason why I don't want that is because I want to control who gets alerting on a much simpler way and that is on host escalation. host escalation allows me to link host groups and contact groups. it's just easier to change and adjust things that way from who gets the alerting perspective and when

I am experimenting a different methods and so far looks promising, but I see some inconsistencies. I linked contact groups with host groups using host escalation. that way the remote users can only see the devices that they supposed to see. the only problem is that they are missing 1 or two devices, which doesn't make much sense because the missing host is configure the same as the other ones that the remote user supposed to see. experimenting even more, this host that was missing in the remote user's access, I have removed one host group that was not part of the host escalation, applied config and the user is now able to see the device missing. I am not sure what this means, but I am afraid that will not work for me because the hostgroup I removed from this devices is part a global dashboard I have. so the question I have, why this method seems to almost accomplish what I want to do. I would like this method to be bullet proof because that way giving people access to specific devices will be straight forward. the method you mentioned seems to me that it will involve more work.

again, I will need to read more about host template.

bosecorp,

The use for hosts/service templates is to create broad definitions on many hosts without having to specifically set it for every host. It's fairly straightforward. If you have any trouble making sense of it let me know.

As for your dilemma with the contacts getting the first notification - the only way I can think of to handle that would be to do ALL of your notificaitons through escalations and set your contacts options to none (don't notify on OK, CRIT, WARN, etc). This way the user permissions should take effect but without affecting your notification procedure.

Does that make any sense?

Thanks!

Makes a lot sense. So if I set notification at the contact level to NO, you are saying that host escalation will override that and would still send a notification. am I correct

That I would actually have to test (and will be happy to if you'd like) - I was more thinking of disabling notifications at the service level. I can easily make a distinction between a service escalation and a service notification. I cannot quite as easily distinguish between contact notifications and contact escalations....

Want me to test that out here?

I am not quite sure if I understand what you said

" was more thinking of disabling notifications at the service level"

I missed that. I think we were talking about host escalation and host templates. I am not sure what you mean to say at the service level

I clearly understand

"I cannot quite as easily distinguish between contact notifications and contact escalations...."

I know exactly what you mean there.

however, earlier you said

"ALL of your notificaitons through escalations and set your contacts options to none (don't notify on OK, CRIT, WARN, etc")

that is exactly what I have in my environment. meaning that I handle ALL of me notifications through escalations.

if that is clear on what I understood and you I said yes, yes I would like you to test that

So going back to the original quandary, the goal is to assign contacts to hosts/services right? That is afterall the method of having granular visibility for NagiosXI logins...

And the problem is that notifications are (likely) enabled for all of your hosts/services, they just go to nobody since none of them have any contacts...

The method to my madness is to just disable notifications on the hosts/services, then you can assign contacts willy-nilly on whatever and not worry about getting any extra spam beyond the escalations you have set up currently. The reason that my pea-brain says make the adjustments at the host/service level is because escalations don't really care too much what's going on there with regard to notification settings, they're *basically* separate. However, if you start fiddling with your contacts I think escalations DO care what happens there. I think a lot of contact notification preferences are able to override escalation settings. Escalations are kind of bolt on though and not quite as integral to everything so I'm not 100% sure what all the behavior is.

I'll whip it up here on an XI system and see what I can figure out for you. Stay tuned.