Granting rights to Centreon users (ACL)
You can grant rights to Centreon users:
- on resources: which hosts, services, etc. users will be allowed to see
- on the menus in the Centreon interface (which pages users will be able to access)
- on actions users will be allowed to carry out, on resources or on a monitoring engine (planning downtime, exporting the configuration, etc.).
Rights are not defined at user level, but through access groups.
- A specific user can belong to several access groups, and the rights defined in each group will be combined.
- Non-administrator users that belong to no access group will have no rights at all on the monitoring platform (empty screen at login)
- Administrator users have all rights (even if you add an administrator to an access group with limited rights).
ACLs are recalculated every minute; this is why it is sometimes necessary to wait a few seconds before changes are applied to a user. You can also reload them manually.
Granting rights to a user
To grant rights to a user:
-
Create the user in Centreon.
-
Add the user to the access group.
-
Set the rights you want:
- either on the access group
- or on the access filters on resources, menus and actions.
Creating an access group
To create an access group:
-
Go to Administration > ACL > Access groups and then click Add.
-
On the Group information tab, enter a name and an alias (a description) for the group.
-
To add users (contacts) or contact groups to the access group, use the Linked Contacts/Linked Contact Groups table. (Select the user(s) you want in the Available column, and then click Add. The user(s) is moved to the Selected column.)
The contact group can come from the LDAP directory connected to the Centreon interface.
To avoid problems, groups created in the Centreon interface should not have the same name as LDAP groups.
-
On the Authorizations information tab, set the rights you want on the access group by choosing access filters on resources, menus and actions (if you have already created them).
-
Click Save.
Creating access filters on resources, menus and actions
Access filters on resources
The access filters on resources allow you to define which objects (hosts, host groups, services and service groups) users will be able to see in the Centreon interface.
To create an access filter on resources:
-
Go to Administration > ACL > Resources Access.
-
Click Add.
-
Fill in the fields you want (see table below).
-
Click Save.
Once the filters on the resources are defined, you can view the results using the Check User View button on page Administration > ACL > Resources Access.
Reference
Tab | Actions |
---|---|
General Information |
|
Hosts Resources |
When Include all hosts or Include all hostgroups is selected, you can explicitly exclude hosts from the filter (e.g. when only 1 or 2 hosts should not be included in the filter). |
Services resources | The Services resources tab allows you to define which service groups users will be allowed to see. |
Meta Services | The Meta Services tab allows you to define which meta services users will be able to see. |
Filters |
|
Access filters on menus
Access filters on menus allow you to define which pages in the Centreon interface users will be able to access.
Accessing the command editing menu as well as accessing the SNMP trap editing menu can be very dangerous. This is because privileged users can create commands, which may lead to the creation of security breaches (RCE). Only give this access to people you trust.
To create an access filter on menus:
-
Go to Administration > ACL > Menus Access.
-
Click Add.
-
Complete the following fields:
- ACL Definition (its name) and Alias
- Status: enable or disable the filter
- Comments: add info about the filter.
-
To grant access groups the rights defined in this filter, use the Linked groups table.
-
In the Accessible pages section, define which menus the access group will be able to access.
- A parent menu must be selected to access the child menu.
- By default, access is Read Only. If you want to allow your users to modify the configuration, select the Read / Write option for each submenu.
- To access an ‘n-1’ menu level, users must have access to the ‘n’ menu level, otherwise they will not be able to view the menu via the interface. If this is not the case, users will have to access the page via a direct link (autologin, etc.).
- Whenever a new Centreon module is created with a web interface accessible via a new menu, it should be added to the filter so that users can access it (if applicable).
-
Click Save.
Access filters on actions
Filters on actions allow you to define which actions users will be allowed to perform on resources (hosts and services) and on the monitoring engines.
To create an access filter on actions:
-
Go to Administration > ACL > Actions Access.
-
Click Add.
- The Action Name and Description fields contain the name of the filter and its description
- In the Relations section, use the Linked Groups table to grant access groups the rights defined in the filter.
-
Select the options you want (see tables below).
-
Click Save.
Global Functionalities Access
Field | Associated actions |
---|---|
Display Top Counter | The monitoring overview will be displayed in the banner at the top of all pages |
Display Top Counter pollers statistics | The monitoring poller status overview will be displayed on the left in the banner at the top of all pages |
Display Poller Listing | Allows you to filter on the poller on page Monitoring > Status Details > Hosts or Monitoring > Status Details > Services (deprecated pages) |
Poller Configuration Actions / Poller Management
Field | Associated actions |
---|---|
Create and edit pollers | Users can perform Add, Add (advanced) and Duplicate actions on remote servers and pollers, and edit them. |
Delete pollers | Allows users to remove remote servers and pollers from the configuration. This action cannot be undone. Warning: before you delete a poller, check that it is not monitoring any hosts and that centengine is stopped. |
Deploy configuration files | Allows users to generate, test and export configuration to remote servers and pollers, and to restart their monitoring engine |
Generate SNMP Trap configuration | Allows users to generate and export configuration of the SNMP traps for the Centreontrapd process on pollers and to restart it |
Global Monitoring Engine Actions (External Process Commands)
These fields are no longer in use.
Services Actions Access
Field | Associated actions |
---|---|
Enable/Disable Checks for a service | Allows users to enable or disable checks for a service on page Monitoring > Status details > Services (deprecated page) |
Enable/Disable Notifications for a service | Allows users to enable or disable notifications for a service on page Monitoring > Status details > Services (deprecated page) |
Acknowledge a service | Allows users to acknowledge a service |
Disacknowledge a service | Allows users to disacknowledge a service |
Re-schedule the next check for a service | Allows users to trigger a check on a service. The check is made even outside the service's check period. |
Re-schedule the next check for a service (Forced) | Allows users to trigger a check on a service. The check is made even outside the service's check period. |
Schedule downtime for a service | Allows users to schedule downtime on a service |
Add/Delete a comment for a service | Allows users to add or delete a comment on a service |
Enable/Disable Event Handler for a service | Allows users to enable or disable the event handler processing of a service in the detailed sheet of a service accessible via the Monitoring > Status Details > Services menu (deprecated page) |
Allows users to enable or disable flap detection of a service | Allows users to enable or disable flap detection of a service in the detailed sheet of a service accessible via the Monitoring > Status Details > Services menu (deprecated page) |
Enable/Disable passive checks of a service | Allows users to enable or disable passive checks of a service in the detailed sheet of a service accessible via the Monitoring > Status Details > Services menu (deprecated page) |
Submit result for a service | Allows users to modify the status of a passive service manually, until the next check |
Display executed command by monitoring engine | Displays the executed command for a service in its Details panel |
Hosts Actions Access
Field | Associated actions |
---|---|
Enable/Disable Checks for a host | Allows users to enable or disable checks for a host on page Monitoring > Status details > Hosts (deprecated page) |
Enable/Disable Notifications for a host | Allows users to enable or disable notifications for a host on page Monitoring > Status details > Hosts (deprecated page) |
Acknowledge a host | Allows users to acknowledge a host |
Disaknowledge a host | Allows users to disacknowledge a host |
Schedule the check for a host | Allows users to trigger a check on a host. The check is made even outside the host's check period. |
Schedule the check for a host (Forced) | Allows users to trigger a check on a host. The check is made even outside the host's check period. |
Schedule downtime for a host | Allows users to schedule downtime on a host |
Add/Delete a comment for a host | Allows users to add or delete a comment for a host |
Enable/Disable Event Handler for a host | Allows users to enable or disable the event handler processing of a host on page Monitoring > Status details > Hosts (deprecated page) |
Enable/Disable Flap Detection for a host | Allows users to enable or disable flap detection of a host on page Monitoring > Status details > Hosts (deprecated page) |
Enable/Disable Checks services of a host | Allows users to enable or disable all service checks of a host on page Monitoring > Status details > Hosts (deprecated page) |
Enable/Disable Notifications services of a host | Allows users to enable or disable service notifications of a host on page Monitoring > Status details > Hosts (deprecated page) |
Submit result for a host | Allows users to modify the status of a passive host manually, until the next check |
- The Status field is used to enable or disable the filter.
Reload ACL
It is possible of reload the ACLs manually:
- Go to Administration > ACL.
- In the left menu, click Reload ACL.
- Select the user(s) you want to reload the ACL.
- In the More actions menu, click Reload ACL.