Version: 24.04

Granting rights to Centreon users (ACL)

You can grant rights to Centreon users:

on resources: which hosts, services, etc. users will be allowed to see
on the menus in the Centreon interface (which pages users will be able to access)
on actions users will be allowed to carry out, on resources or on a monitoring engine (planning downtime, exporting the configuration, etc.).

Rights are not defined at user level, but through access groups.

A specific user can belong to several access groups, and the rights defined in each group will be combined.
Non-administrator users that belong to no access group will have no rights at all on the monitoring platform (empty screen at login)
Administrator users have all rights (even if you add an administrator to an access group with limited rights).

ACLs are recalculated every minute; this is why it is sometimes necessary to wait a few seconds before changes are applied to a user. You can also reload them manually.

The Centreon MBI, BAM and MAP modules have their own ACLs.

Granting rights to a user

To grant rights to a user:

Create the user in Centreon.
Create an access group.
Add the user to the access group.
Create access filters on resources, menus and actions.
Set the rights you want:
- either on the access group
- or on the access filters on resources, menus and actions.

Creating an access group

To create an access group:

Go to Administration > ACL > Access groups and then click Add.
On the Group information tab, enter a name and an alias (a description) for the group.
To add users (contacts) or contact groups to the access group, use the Linked Contacts/Linked Contact Groups table. (Select the user(s) you want in the Available column, and then click Add. The user(s) is moved to the Selected column.)
The contact group can come from the LDAP directory connected to the Centreon interface.
To avoid problems, groups created in the Centreon interface should not have the same name as LDAP groups.
On the Authorizations information tab, set the rights you want on the access group by choosing access filters on resources, menus and actions (if you have already created them).
Click Save.

Creating access filters on resources, menus and actions

Access filters on resources

The access filters on resources allow you to define which objects (hosts, host groups, services and service groups) users will be able to see in the Centreon interface.

To create an access filter on resources:

Go to Administration > ACL > Resources Access.
Click Add.
Fill in the fields you want (see table below).
Click Save.

Once the filters on the resources are defined, you can view the results using the Check User View button on page Administration > ACL > Resources Access.

Reference

Tab	Actions
General Information	Use the Linked groups table to link access groups to the filter on resources, i.e. grant the rights defined in the filter to the access group. Status and Comments allow you to enable/disable the filter or to add comments to it.
Hosts Resources	Define which hosts and hosts groups users will be able to see in the Centreon interface. If Include all hosts or Include all hostgroups is selected, any newly created host or host group will be added to the filter automatically. When Include all hosts or Include all hostgroups is selected, you can explicitly exclude hosts from the filter (e.g. when only 1 or 2 hosts should not be included in the filter).
Services resources	The Services resources tab allows you to define which service groups users will be allowed to see.
Meta Services	The Meta Services tab allows you to define which meta services users will be able to see.
Filters	The Poller Filter table allows you to select hosts monitored by a specific monitoring engine (if no poller is selected, then all pollers are taken into account) The Host Category Filter table allows you to filter the hosts by category The Service Category Filter table allows you to filter services by category. Filters by poller or by category of objects are inclusion filters (UNION). Only the objects belonging to these filters in addition to groups of objects (hosts and services) will be visible.

Access filters on menus

Access filters on menus allow you to define which pages in the Centreon interface users will be able to access.

Accessing the command editing menu as well as accessing the SNMP trap editing menu can be very dangerous. This is because privileged users can create commands, which may lead to the creation of security breaches (RCE). Only give this access to people you trust.

To create an access filter on menus:

Go to Administration > ACL > Menus Access.
Click Add.
Complete the following fields:
- ACL Definition (its name) and Alias
- Status: enable or disable the filter
- Comments: add info about the filter.
To grant access groups the rights defined in this filter, use the Linked groups table.
In the Accessible pages section, define which menus the access group will be able to access.
- A parent menu must be selected to access the child menu.
- By default, access is Read Only. If you want to allow your users to modify the configuration, select the Read / Write option for each submenu.
- To access an ‘n-1’ menu level, users must have access to the ‘n’ menu level, otherwise they will not be able to view the menu via the interface. If this is not the case, users will have to access the page via a direct link (autologin, etc.).
- Whenever a new Centreon module is created with a web interface accessible via a new menu, it should be added to the filter so that users can access it (if applicable).
Click Save.

Access filters on actions

Filters on actions allow you to define which actions users will be allowed to perform on resources (hosts and services) and on the monitoring engines.

To create an access filter on actions:

Go to Administration > ACL > Actions Access.
Click Add.
- The Action Name and Description fields contain the name of the filter and its description
- In the Relations section, use the Linked Groups table to grant access groups the rights defined in the filter.
Select the options you want (see tables below).
Click Save.

Global Functionalities Access

Field	Associated actions
Display Top Counter	The monitoring overview will be displayed in the banner at the top of all pages
Display Top Counter pollers statistics	The monitoring poller status overview will be displayed on the left in the banner at the top of all pages
Display Poller Listing	Allows you to filter on the poller on page Monitoring > Status Details > Hosts or Monitoring > Status Details > Services (deprecated pages)

Poller Configuration Actions / Poller Management

Field	Associated actions
Create and edit pollers	Users can perform Add, Add (advanced) and Duplicate actions on remote servers and pollers, and edit them.
Delete pollers	Allows users to remove remote servers and pollers from the configuration. This action cannot be undone. Warning: before you delete a poller, check that it is not monitoring any hosts and that centengine is stopped.
Deploy configuration files	Allows users to generate, test and export configuration to remote servers and pollers, and to restart their monitoring engine
Generate SNMP Trap configuration	Allows users to generate and export configuration of the SNMP traps for the Centreontrapd process on pollers and to restart it

Global Monitoring Engine Actions (External Process Commands)

These fields are no longer in use.

Services Actions Access

Field	Associated actions
Enable/Disable Checks for a service	Allows users to enable or disable checks for a service on page Monitoring > Status details > Services (deprecated page)
Enable/Disable Notifications for a service	Allows users to enable or disable notifications for a service on page Monitoring > Status details > Services (deprecated page)
Acknowledge a service	Allows users to acknowledge a service
Disacknowledge a service	Allows users to disacknowledge a service
Re-schedule the next check for a service	Allows users to trigger a check on a service. The check is made even outside the service's check period.
Re-schedule the next check for a service (Forced)	Allows users to trigger a check on a service. The check is made even outside the service's check period.
Schedule downtime for a service	Allows users to schedule downtime on a service
Add/Delete a comment for a service	Allows users to add or delete a comment on a service
Enable/Disable Event Handler for a service	Allows users to enable or disable the event handler processing of a service in the detailed sheet of a service accessible via the Monitoring > Status Details > Services menu (deprecated page)
Allows users to enable or disable flap detection of a service	Allows users to enable or disable flap detection of a service in the detailed sheet of a service accessible via the Monitoring > Status Details > Services menu (deprecated page)
Enable/Disable passive checks of a service	Allows users to enable or disable passive checks of a service in the detailed sheet of a service accessible via the Monitoring > Status Details > Services menu (deprecated page)
Submit result for a service	Allows users to modify the status of a passive service manually, until the next check
Display executed command by monitoring engine	Displays the executed command for a service in its Details panel

Hosts Actions Access

Field	Associated actions
Enable/Disable Checks for a host	Allows users to enable or disable checks for a host on page Monitoring > Status details > Hosts (deprecated page)
Enable/Disable Notifications for a host	Allows users to enable or disable notifications for a host on page Monitoring > Status details > Hosts (deprecated page)
Acknowledge a host	Allows users to acknowledge a host
Disaknowledge a host	Allows users to disacknowledge a host
Schedule the check for a host	Allows users to trigger a check on a host. The check is made even outside the host's check period.
Schedule the check for a host (Forced)	Allows users to trigger a check on a host. The check is made even outside the host's check period.
Schedule downtime for a host	Allows users to schedule downtime on a host
Add/Delete a comment for a host	Allows users to add or delete a comment for a host
Enable/Disable Event Handler for a host	Allows users to enable or disable the event handler processing of a host on page Monitoring > Status details > Hosts (deprecated page)
Enable/Disable Flap Detection for a host	Allows users to enable or disable flap detection of a host on page Monitoring > Status details > Hosts (deprecated page)
Enable/Disable Checks services of a host	Allows users to enable or disable all service checks of a host on page Monitoring > Status details > Hosts (deprecated page)
Enable/Disable Notifications services of a host	Allows users to enable or disable service notifications of a host on page Monitoring > Status details > Hosts (deprecated page)
Submit result for a host	Allows users to modify the status of a passive host manually, until the next check

The Status field is used to enable or disable the filter.

Reload ACL

It is possible of reload the ACLs manually:

Go to Administration > ACL.
In the left menu, click Reload ACL.
Select the user(s) you want to reload the ACL.
In the More actions menu, click Reload ACL.

Granting rights to a user​

Creating an access group​

Creating access filters on resources, menus and actions​

Access filters on resources​

Reference​

Access filters on menus​

Access filters on actions​

Global Functionalities Access​

Poller Configuration Actions / Poller Management​

Global Monitoring Engine Actions (External Process Commands)​

Services Actions Access​

Hosts Actions Access​

Reload ACL​