We require assistance with configuring user permissions in our CheckMK system.
Our plan is to organize each team into a contact group within their respective team folder. However, we encounter an issue with teams comprising multiple subteams, such as Team Windows 1 and 2. Each subteam needs its own folder and organizational structure but also requires access to view hosts from other teams. For example, Team 1 should be able to access and edit their hosts but not those of Team 2. Team 1 should only be able to view hosts of Team 2.
However, we’ve observed that we can only assign global permissions to users. This implies that if a host is made visible to a user, the user gains editing privileges for all hosts or none at all. We need the ability to assign permissions for individual hosts or folders where all hosts are stored.
Is there an elegant way to configure this setup within CheckMK?
You could create a third contact group TeamAandB and assign all users from both teams to that contact group.
Then you assign this contact group to all servers they should see.
To allow the teams to manage their own Servers you assign contact group TeamA to FolderA and TeamB to FolderB.
Another way could be to add the “view all Hosts and Services” permission to the Normal Monitoring User role or a copy of that.
This way, all the users with that role can see everything in checkmk.
Then you assign the contact group to the folders they should be able to manage.
To make it even more granular, you could set up several groups per team:
Group_view → Group can see this host/service
Group_edit → Group can edit this host
Group_alarm → Group is notified for this host/service
As an example, you could then assign the Group_view to the parent folder “Windows”, the Group_edit to the folder “Windows 1” and Group_alarm to the hosts and/or services in the folder “Windows 1” with the tag ‘Alert’.
Based on the group names, you know immediately who can see/edit what and who is gets notifed.
Unfortunately, it seems the proposed solution didn’t quite yield the expected results for us. Despite assigning the user to Contact Group A, they could see the Team B folder but not the hosts inside it.
We might have overlooked something or misconfigured a setting. Is there a specific documentation or resource you could direct us to for further clarification on this matter? Alternatively, if you have any insights into what might have gone wrong, we would greatly appreciate your guidance.