Granular permissions

justink · August 24, 2023, 9:15am

Hi,

I have a lot of hosts running nicely in Check MK and now I want to open it up so that our operations guys can see it.

I have some contact groups setup and I have assigned the contact group permissions on the folders of hosts that I want them to be able to see and that works just fine.

But I really want to make it so that they cannot, for example, see any error/warnings from windows log files. There are some other checks that I would also like to exclude from their view.

Is this possible - I cannot find a way!

Thanks in advance

Yggy · August 24, 2023, 9:27am

Off topic:
Maybe have your email out of the forum name of your profile, since it is publically visible now.

justink · August 24, 2023, 9:52am

Appreciate the tip, thanks. Little annoying that it defaults to that…

Yggy · August 24, 2023, 9:56am

Someone requested to have name visible on the forum instead username, but since it was a global setting, they went for name next to username:

robin.gierse · August 24, 2023, 2:57pm

Back to the initial topic: Your question is very broad and very generic.
Maybe someone finds the time to answer extensively, but do not hold your breath.
There are a lot of ways how to configure permissions in Checkmk and what you want to do is certainly possible, but there are several ways how to achieve it.

elias.voelker · August 24, 2023, 4:12pm

@justink welcome to the forum.

What you are looking for can certainly be achieved my combining ‘roles’, ‘users’ and ‘contact groups’

Checkmk has three built-in roles - Admin, User, and Guest.

Broadly speaking, as the names suggest, the Admin can do everything, User can do many things, except administering the monitoring sites, and the Guest can basically only “look, but don’t touch”
(EDIT: 4 roles, the ‘agent_registration’ user was added with 2.2. Not relevant for this, though))

The details are visible in the permission matrix:

Now the most efficient way to do what you want to achieve is to clone the role that most closely resembles the desired “operations-team” role (probably user), and modify it’s permissions. You can do this VERY granularly, there are more than 400 individual permissions that can be set (that’s also why you don’t want to start from scratch, if you can avoid it).

Then you can assign that role to individual users. These users in turn are part of contact groups for the different hosts.

Read all the details here: Users, roles and permissions - User and authorization configuration

If it comes to individual services, you probably need to assign those services to a different contact group. (not sure if you can negate that, though…)

Anders · August 24, 2023, 5:52pm

Even if this might be a lot of work we do have all services disabled by default and we then assign different services to different contact groups, and do not automatically assign services to contacts.

This is really powerful as we can have team A who is responsible for the OS see all OS related services, then Team B has an application, lets say a database, and they will see all the database checks (but not the OS) and Team A won’t see Team Bs services.

The only major downside is that any view that contains “hosts” won’t be seen by Team B, so the host up/down will not work for Team B - a workaround is to have a separate Ping/ICMP service and assign that to Team B.

justink · August 25, 2023, 12:08pm

Thanks for this. I think this is what I was looking for!