User groups allow to group users both for organizational purposes and for assigning permissions to data. Permissions to monitoring data of host groups are assigned to user groups, not individual users.
It may often make sense to separate what information is available for one group of users and what - for another. This can be accomplished by grouping users and then assigning varied permissions to host groups.
A user can belong to any number of groups.
To configure a user group:
The User group tab contains general group attributes:
All mandatory input fields are marked with a red asterisk.
Parameter | Description |
---|---|
Group name | Unique group name. |
Users | To add users to the group start typing the name of an existing user. When the dropdown with matching user names appears, scroll down to select. Alternatively you may click the Select button to select users in a popup. |
Frontend access | How the users of the group are authenticated. System default - use default authentication method (set globally) Internal - use Zabbix internal authentication (even if LDAP authentication is used globally). Ignored if HTTP authentication is the global default. LDAP - use LDAP authentication (even if internal authentication is used globally). Ignored if HTTP authentication is the global default. Disabled - access to Zabbix frontend is forbidden for this group |
Enabled | Status of user group and group members. Checked - user group and users are enabled Unchecked - user group and users are disabled |
Debug mode | Mark this checkbox to activate debug mode for the users. |
The Permissions tab allows you to specify user group access to host group (and thereby host) data:
Current permissions to host groups are displayed in the Permissions block.
If current permissions of the host group are inherited by all nested host groups, this is indicated after the host group name ("including subgroups"). Note that a Zabbix Super admin user can enforce nested host groups to have the same level of permissions as the parent host group; this can be done in the host group configuration form.
You may change the level of access to a host group:
Use the selection field below to select host groups and the level of access to them. This field is auto-complete so starting to type the name of a host group will offer a dropdown of matching host groups. If you wish to see all host groups, click on Select. If you wish to include nested host groups, mark the Include subgroups checkbox. Click on to add the selected host groups to the list of host group permissions.
Adding a parent host group with the Include subgroups checkbox marked will override (and remove from the list) previously configured permissions of all related nested host groups. Adding a host group with None as the level of access selected will remove the host group from the list if the host group is already in the list.
The Tag filter tab allows you to set tag based permissions for user groups to see problems filtered by tag name and its value:
To select a host group to apply a tag filter for, click Select to get the complete list of existing host groups or start to type the name of a host group to get a dropdown of matching groups. If you want to apply tag filters to nested host groups, mark the Include subgroups checkbox.
Tag filter allows to separate the access to host group from the possibility to see problems.
For example, if a database administrator needs to see only "MySQL" database problems, it is required to create a user group for database administrators first, than specify "Service" tag name and "MySQL" value.
If "Service" tag name is specified and value field is left blank, corresponding user group will see all problems for selected host group with tag name "Service". If both tag name and value fields are left blank but host group selected, corresponding user group will see all problems for selected host group. Make sure a tag name and tag value are correctly specified otherwise a corresponding user group will not see any problems.
Let's review an example when a user is a member of several user groups selected. Filtering in this case will use OR condition for tags.
User group A | User group B | Visible result for a user (member) of both groups | ||||
Tag filter | ||||||
Host group | Tag name | Tag value | Host group | Tag name | Tag value | |
Templates/Databases | Service | MySQL | Templates/Databases | Service | Oracle | Service: MySQL or Oracle problems visible |
Templates/Databases | blank | blank | Templates/Databases | Service | Oracle | All problems visible |
not selected | blank | blank | Templates/Databases | Service | Oracle | Service:Oracle problems visible |
Adding a filter (for example, all tags in a certain host group "Templates/Databases") results in not being able to see the problems of other host groups.
A user may belong to any number of user groups. These groups may have different access permissions to hosts.
Therefore, it is important to know what hosts an unprivileged user will be able to access as a result. For example, let us consider how access to host X (in Hostgroup 1) will be affected in various situations for a user who is in user groups A and B.
“Read-write” permissions have precedence over “Read” permissions starting with Zabbix 2.2.