We are in the progress of implementing a distributed monitoring environment using the Checkmk Managed Services Edition.
Currently, we do have the problem that the user on the central site is not able to see customer’s hosts.
The user on the central site can only see hosts assigned to the “Provider”.
The user on the central site is assigned to the contact group “CMK-EXTERN” for example, and is set to the customer “Provider”, as we would like to avoid syncing internal users to our customers.
These users are added via LDAP/Active Directory, for which only the Provider’s site has network access to.
The customer’s hosts do have the contact group “CMK-EXTERN” assigned.
When viewing a host monitored by the customer’s site, under “Host contact groups” the mentioned contact group is assigned correctly.
“Host contacts” doesn’t list the provider’s user (which should be expected), only the customer’s users.
When logging in to the customer’s site with a user defined for the customer, I am able to see the hosts.
But, I am able to see the customer’s hosts on our central “Provider” site when trying following things:
When setting the customer flag of the LDAP user to “Provider” (which will sync the user to the customer’s site)
When disabling the user flag “Only show hosts and services the user is a contact for”
→ This isn’t ideal since it also shows all hosts on the Provider’s site that aren’t assigned to the user (e.g. hosts of another team)
Is this behavior intended to have all Provider’s users synced to all sites, or am I missing some setting I am not aware of?
What you describe works as intended. Let me explain: The “Provider” customer is just a normal customer object, just like all the other you create. It only has a “special” name. Hence, users of the “Provider” customer can by default only see hosts of their customer. In this case, that is you, your organizations hosts. It works the same for all others customers, which you would obviously expect.
This is not true. You need to assign those users to the “Global” customer. This is the only customer, that has a special meaning and it is in the name itself: Users assigned to this customer get replicated globally and can be used globally.
Now towards your concerns: Typically organizations like yours use the “Provider” to monitor their own hosts. They use it like every other customer. Now to manage the entire system including all customers, they use users assigned to the “Global” customer and restrict visibility through contact groups.
Regarding the security concerns that seem to shimmer through here: I cannot see a problem with user objects replicated to customer sites. They consist of just a few attributes, your customers could know anyway. And they do not have easy access to these objects. If you still feel uncomfortable having those users synchronized, I recommend creating dedicated users or service users, with only a very limited set of attributes. So even if a customer got a hold of the information, it is not critical.
Thanks for your extensive explanation! Now, this behavior makes a lot more sense and with knowing that only a very limited set of attributes are replicated to the customer’s site defuses the situation a bit.
