I have a need to show limited subsets of Checkmk to third parties (i.e. another company that is involved with a specific set of servers) and these third parties should NOT see anything of what else is in Checkmk.
I have made an account with the guest role that is is a contact group, and assigned a few host folders to that contact group, and share a few useful reports. Logging in as that user, I do only see the intended hosts in monitoring and even in report content. Great! But then I set up a notification rule under that user, notifying that user, and that user started receiving notifications for everything. I had to explicitly add a condition on the notification to only match hosts/services in that contact group. Not great
So my questions here are:
Is this what contact groups are for? (if no, what should I be doing instead?)
Is this expected for notifications to side-step contact groups like this? Have I configured that notification wrong somehow? (and 2b. does this mean a user with permission to configure their own notifications can set up a rule to see informaiton they shouldn’t see?)
What else might not be playing by the contact group rules like I expect? I am now slightly paranoid we will leak information elsewhere.
We are running 1.6, but looking to update to 2.0 sometime in the near future, if that’s relevant.
Your contact group setup sounds ok. If you assigned the guest role then you have also enabled the setting to only show the objects the user is contact for. This is correct as a guest normally see all objects.
The notification inside CMK works a little bit different then the classic Nagios. The core sent a notification for every problem to the notification system. The notification system now looks what rules it has. You created a rule for your external user and as long as you don’t set any condition this user will receive every notification. The condition can be (or should be) the user group or you can set as condition inside the rule specific hosts. This i do if i only want to notify a special user about problems of his host. Without this user existing inside the monitoring as contanct.
I would say - don’t use notification rules without conditions - check this conditions if they are right.
Forbid the user to create “user specific notification rules”, as a guest you don’t have this right but as a normal user you can do this.
Check that every user that you don’t want to see all the things has the setting “only show hosts/services the user is contact for” activated.
There is no difference in the user rights and roles between 1.6 and 2.0, all the points are also relevant for 2.0
I believe I have slightly configured the roles to match my expectations… and yes, changing “See all host and services” to no is one of non-defaults I’ve set it appears.
This isn’t just a rule for that user, but a notification rule that specifically belongs to that user. I would’ve expected the contact group filter to be implicit, especially because…
I do want to expand user privileges a bit further to allow these third parties to properly ack their stuff etc. and configuring their own notifications would be nice too, less for me to babysit. But if I can’t actually lock down what they get notified for, that would be a problem.
Exactly - for this type of users i would disable the create own notifications inside the user role or better create a role copy and disable the not wanted settings there.
For this point there is the default rule - notify for every contact. This rule has also a set condition.
You must think about the notification system more like an external application that only gets the data about an event and some other information but no direct logic what to do.
I mean the opposite. Notifying all contacts makes sense, but I would also expect to NOT notify non-contacts (unless there’s specifically been a global rule set for it, because that’s an admin-level scope, not user-level).
Well as long as the notification system is the only hole here, I can work with that.
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.
