Permisson to deny to see Sites in Activate Changes

Is there any possibility to restrict Users to see sites in the “Activate Changes” button?

For Example
One user have access to an folder under WATO - Configuration - Hosts
The user is restricted to only one folder and there he can change whatever he wants and also has the permission to activate

But when he activate`s the changes under the “Activate Pending Changes - Button” he can see all Sites.
Also the user could try to Open sites local web user interface and he does see if pending activations are available for others sites.

Can the view of the Activation Status somehow be restricted for users?

Thanks.

Hi @pleipold and welcome to the forum.

The option you are mentioning is not possible within cmk. It would be really difficult to determine which changes are relevant for the specific user to the specific host to a specific remote site. Actual it’s even not possible to activate some selected changes out of order.

Maybe an option for you could be to remove the permission to activate changes for this user and also access to the distributed monitoring page and let cmk activate the changes automatically. Please see the documentation for further informations: https://checkmk.com/cms_web_api_references.html#activate_changes

Hi @tosch,

thanks.

I will try out your mentioned Option.
Thanks a lot!

Hi @tosch,
would it be possible to hide all sites in that view where the user has no access. Like it is done for folders?

Hi @dzajac and welcome too to the forum.

I guess no, it’s not possible, but i never checked this.
It’s possible to have a differnt user access configuration on all sites and this configuration is not known by the master site. So i guess it’s also not possible to implement such funtion.

For the management edition that’s kind a problem to expose the information about all the configured sites to local users. The other site names and information could be sensitive. Let’s see if the mentioned workaround could help me out of that problem.

Maybe you could discuss if there could a view be added for local users only show the local site. If that is toggled as a configuration parameter the activiation site is replaced by a “activate local changes” view?

if you have permissions on folders, yes you can hide them:
WATO -> Global Settings -> Hide folders without read permissions ->On

@neeloj yes that is what we are doing. It works perfect. Same functionality for sites would be nice, too. The described problem is that users who don’t have access to other sites still can see the site name on the “activate changes” view. We don’t want that. The folders and hosts views work perfectly for us with the hide functionality.

1 Like

@neeloj: He like to have the same function for Distributed Monitoring and the shown remote sites there.

2 Likes

Since 1.4 Enterprise Edition you have the “Authorized sites” in the Identity pane of the user. With help of that you can limit the sites the user is seeing.