Skip to main content
Version: ⭐ 24.10

Granting rights to Centreon users (ACL)

You can grant rights to Centreon users:

  • on resources: which hosts, services, etc. users will be allowed to see
  • on the menus in the Centreon interface (which pages users will be able to access)
  • on actions users will be allowed to carry out, on resources or on a monitoring engine (planning downtime, exporting the configuration, etc.).

Rights are not defined at user level, but through access groups.

  • A specific user can belong to several access groups, and the rights defined in each group will be combined.
  • Non-administrator users that belong to no access group will have no rights at all on the monitoring platform (empty screen at login)
  • Administrator users have all rights (even if you add an administrator to an access group with limited rights).

ACLs are recalculated every minute; this is why it is sometimes necessary to wait a few seconds before changes are applied to a user. You can also reload them manually.

The Centreon MBI, BAM and MAP modules have their own ACLs.

Granting rights to a user

To grant rights to a user:

  1. Create the user in Centreon.

  2. Create an access group.

  3. Add the user to the access group.

  4. Create access filters on resources, menus and actions.

  5. Set the rights you want:

    • either on the access group
    • or on the access filters on resources, menus and actions.

Creating an access group

To create an access group:

  1. Go to Administration > ACL > Access groups and then click Add.

  2. On the Group information tab, enter a name and an alias (a description) for the group.

  3. To add users (contacts) or contact groups to the access group, use the Linked Contacts/Linked Contact Groups table. (Select the user(s) you want in the Available column, and then click Add. The user(s) is moved to the Selected column.)

    The contact group can come from the LDAP directory connected to the Centreon interface.

    To avoid problems, groups created in the Centreon interface should not have the same name as LDAP groups.

  4. On the Authorizations information tab, set the rights you want on the access group by choosing access filters on resources, menus and actions (if you have already created them).

  5. Click Save.

Creating access filters on resources, menus and actions

Access filters on resources

The access filters on resources allow you to define which objects (hosts, host groups, services and service groups) users will be able to see in the Centreon interface.

To create an access filter on resources:

  1. Go to Administration > ACL > Resources Access.

  2. Click Add.

  3. Fill in the fields you want (see table below).

  4. Click Save.

Once the filters on the resources are defined, you can view the results using the Check User View button on page Administration > ACL > Resources Access.

Reference

TabActions
General Information
  • Use the Linked groups table to link access groups to the filter on resources, i.e. grant the rights defined in the filter to the access group.
  • Status and Comments allow you to enable/disable the filter or to add comments to it.
Hosts Resources
  • Define which hosts and hosts groups users will be able to see in the Centreon interface.
  • If Include all hosts or Include all hostgroups is selected, any newly created host or host group will be added to the filter automatically.

When Include all hosts or Include all hostgroups is selected, you can explicitly exclude hosts from the filter (e.g. when only 1 or 2 hosts should not be included in the filter).

Services resourcesThe Services resources tab allows you to define which service groups users will be allowed to see.
Meta ServicesThe Meta Services tab allows you to define which meta services users will be able to see.
Filters
  • The Poller Filter table allows you to select hosts monitored by a specific monitoring engine (if no poller is selected, then all pollers are taken into account)
  • The Host Category Filter table allows you to filter the hosts by category
  • The Service Category Filter table allows you to filter services by category. Filters by poller or by category of objects are inclusion filters (UNION). Only the objects belonging to these filters in addition to groups of objects (hosts and services) will be visible.

Access filters on menus

Access filters on menus allow you to define which pages in the Centreon interface users will be able to access.

Accessing the command editing menu as well as accessing the SNMP trap editing menu can be very dangerous. This is because privileged users can create commands, which may lead to the creation of security breaches (RCE). Only give this access to people you trust.

To create an access filter on menus:

  1. Go to Administration > ACL > Menus Access.

  2. Click Add.

  3. Complete the following fields:

    • ACL Definition (its name) and Alias
    • Status: enable or disable the filter
    • Comments: add info about the filter.
  4. To grant access groups the rights defined in this filter, use the Linked groups table.

  5. In the Accessible pages section, define which menus the access group will be able to access.

    • A parent menu must be selected to access the child menu.
    • By default, access is Read Only. If you want to allow your users to modify the configuration, select the Read / Write option for each submenu.
    • To access an ‘n-1’ menu level, users must have access to the ‘n’ menu level, otherwise they will not be able to view the menu via the interface. If this is not the case, users will have to access the page via a direct link (autologin, etc.).
    • Whenever a new Centreon module is created with a web interface accessible via a new menu, it should be added to the filter so that users can access it (if applicable).
  6. Click Save.

Access filters on actions

Filters on actions allow you to define which actions users will be allowed to perform on resources (hosts and services) and on the monitoring engines.

To create an access filter on actions:

  1. Go to Administration > ACL > Actions Access.

  2. Click Add.

    • The Action Name and Description fields contain the name of the filter and its description
    • In the Relations section, use the Linked Groups table to grant access groups the rights defined in the filter.
  3. Select the options you want (see tables below).

  4. Click Save.

Global Functionalities Access

FieldAssociated actions
Display Top CounterThe monitoring overview will be displayed in the banner at the top of all pages
image
Display Top Counter pollers statisticsThe monitoring poller status overview will be displayed on the left in the banner at the top of all pages
image
Display Poller ListingAllows you to filter on the poller on page Monitoring > Status Details > Hosts or Monitoring > Status Details > Services (deprecated pages)

Poller Configuration Actions / Poller Management

FieldAssociated actions
Create and edit pollersUsers can perform Add, Add (advanced) and Duplicate actions on remote servers and pollers, and edit them.
Delete pollersAllows users to remove remote servers and pollers from the configuration. This action cannot be undone. Warning: before you delete a poller, check that it is not monitoring any hosts and that centengine is stopped.
Deploy configuration filesAllows users to generate, test and export configuration to remote servers and pollers, and to restart their monitoring engine
Generate SNMP Trap configurationAllows users to generate and export configuration of the SNMP traps for the Centreontrapd process on pollers and to restart it

Global Monitoring Engine Actions (External Process Commands)

These fields are no longer in use.

Services Actions Access

FieldAssociated actions
Enable/Disable Checks for a serviceAllows users to enable or disable checks for a service on page Monitoring > Status details > Services (deprecated page)
Enable/Disable Notifications for a serviceAllows users to enable or disable notifications for a service on page Monitoring > Status details > Services (deprecated page)
Acknowledge a serviceAllows users to acknowledge a service
Disacknowledge a serviceAllows users to disacknowledge a service
Re-schedule the next check for a serviceAllows users to trigger a check on a service. The check is made even outside the service's check period.
Re-schedule the next check for a service (Forced)Allows users to trigger a check on a service. The check is made even outside the service's check period.
Schedule downtime for a serviceAllows users to schedule downtime on a service
Add/Delete a comment for a serviceAllows users to add or delete a comment on a service
Enable/Disable Event Handler for a serviceAllows users to enable or disable the event handler processing of a service in the detailed sheet of a service accessible via the Monitoring > Status Details > Services menu (deprecated page)
Allows users to enable or disable flap detection of a serviceAllows users to enable or disable flap detection of a service in the detailed sheet of a service accessible via the Monitoring > Status Details > Services menu (deprecated page)
Enable/Disable passive checks of a serviceAllows users to enable or disable passive checks of a service in the detailed sheet of a service accessible via the Monitoring > Status Details > Services menu (deprecated page)
Submit result for a serviceAllows users to modify the status of a passive service manually, until the next check
Display executed command by monitoring engineDisplays the executed command for a service in its Details panel

Hosts Actions Access

FieldAssociated actions
Enable/Disable Checks for a hostAllows users to enable or disable checks for a host on page Monitoring > Status details > Hosts (deprecated page)
Enable/Disable Notifications for a hostAllows users to enable or disable notifications for a host on page Monitoring > Status details > Hosts (deprecated page)
Acknowledge a hostAllows users to acknowledge a host
Disaknowledge a hostAllows users to disacknowledge a host
Schedule the check for a hostAllows users to trigger a check on a host. The check is made even outside the host's check period.
Schedule the check for a host (Forced)Allows users to trigger a check on a host. The check is made even outside the host's check period.
Schedule downtime for a hostAllows users to schedule downtime on a host
Add/Delete a comment for a hostAllows users to add or delete a comment for a host
Enable/Disable Event Handler for a hostAllows users to enable or disable the event handler processing of a host on page Monitoring > Status details > Hosts (deprecated page)
Enable/Disable Flap Detection for a hostAllows users to enable or disable flap detection of a host on page Monitoring > Status details > Hosts (deprecated page)
Enable/Disable Checks services of a hostAllows users to enable or disable all service checks of a host on page Monitoring > Status details > Hosts (deprecated page)
Enable/Disable Notifications services of a hostAllows users to enable or disable service notifications of a host on page Monitoring > Status details > Hosts (deprecated page)
Submit result for a hostAllows users to modify the status of a passive host manually, until the next check
  • The Status field is used to enable or disable the filter.

Reload ACL

It is possible of reload the ACLs manually:

  1. Go to Administration > ACL.
  2. In the left menu, click Reload ACL.
  3. Select the user(s) you want to reload the ACL.
  4. In the More actions menu, click Reload ACL.