Fine tuning permissions in the upcoming release
If you are using Zabbix in a multi tenant environment, you’ve probably been waiting for this feature for a very long time. User roles allow Zabbix administrators to assign granular menu access to users while providing the access they need to administer hosts under their purview.
Before this feature, only Zabbix User, Zabbix Admin, and Zabbix Super Admin were available as types to be assigned to users, and permissions could be assigned on a group basis to host grups as read-write, read, or deny. This did not allow much flexibility for administrators that want to provide users access to the Configuration menu to add or manage hosts and host groups, but prevent access to global parameters like actions and event correlation, or grant other administrators access to the Administration menu for things like media types, but prevent their access to scripts.
Enter User Roles, which allow us to give these permissions at a menu level to users while denying access to other, more sensitive functionality.
In our organization we have an Operations group that manage hosts and host groups, view monitoring data, create maintenance windows, and create and view screens and slideshows. However, we do not want them managing Templates or Discovery rules. In this image, you can see that since they are a Zabbix Admin, they have access to the full Configuration menu.
With User Roles, we can now create a user profile that provides the access this group needs without relying on policy to prevent them from creating, modifying, or deleting templates and discovery rules.
We will create a new role called Operations, assign the type Admin (new in 5.2, replacing Zabbix Admin) and select the Monitoring, Inventory, Reports, Configuration, and Administration items we want to give the group access to. This will be assigned on a user basis, and further permissions can be granted on the User Group to Host Groups.
Since we’ve selected the Admin User type, the Administration menu items are not available for assignment. This would require the Super Admin type. We are providing full access to the Monitoring and Inventory menus, but we are removing Event correlation, Templates, and Discovery from this user as it’s not a function our Operations team should be working.
Also available in the Roles selection is access to API actions. By default, all users have the access to API actions that their user role does and we now have the ability to limit those actions in the same way we do in the dashboard.
For our new Operations role we will remove the Change severity action and then select Add. We can then edit the user permission and change the Role to the Operations one we created.
Our sidebar menu now reflects the changes we made to the role, removing the Templates and Discovery menu items. While this may seem like it’s just a menu change, it is a secure change to permissions. Attempting to access the links in the menu items we remove will result in an Access Denied error.
While we are discussing this in a service provider context, these roles offer benefits to any company using Zabbix to monitor their infrastructure.
following the principle of least privilege is an important practice and this new feature is a key addition to better follow that principle.
For more information regarding Zabbix monitoring, please reach out to us via the contact form on this site or by calling us at 919-551-8175.