Von:    Jacques Mineur/11/DRV-Bund
An:     checkmk-en-boun...@lists.mathias-kettner.de
Datum:  01.08.2017 09:34
Betreff:        WG: Re: [Check_mk (english)] 'Visibility of Hosts/Services' for
            LDAP users


Hi Rafal,

we have also an integration with AD and it works very good with only two AD
groups

- One AD group to implement the permissions. It exist a corresponding
CheckMK role with the same name as in AD. We have only three roles (Admin
User, Wato User, Monitoring User)

Admin User has the same rights as cmkadmin
Wato User have a subset of the Wato permissions of the cmkadmin and can
edit all the hosts and services (we don't use the 'Permissions' attribute
in the Basic settings of the hosts)
Monitoring User do standard monitoring without configuration possibility

- One AD group to implement the visibility. It exist a corresponding
CheckMK role and a corresponding CheckMK contact group with the same name.
These groups represent our teams that work with CheckMK

The Team contact group will be used for the visibility of the hosts and
services
The Team role will be used for the visibility of Team bookmarks

By the implementation, we use also folllowing settings/rules:
- Global Settings / Monitoring Core / Authorization Settings / Hosts und
Host-/Servicesgroups have to be set with strict
- We have also  a Host Tag per Team and it will be used in the rules
Assignment of hosts to contact groups and Assignment of services to contact
groups
It was necessary because we have sometimes the case for one host that one
team want to see some services and another team want to see the other
services.

We don't need your group 1 (granting access to CheckMK) because we only
import users that have a CheckMK role in AD.

Jacques Mineur
________________________________

----- Weitergeleitet von Jacques Mineur/11/DRV-Bund am 01.08.2017 09:07
-----

Von:    Rafal Bialek <bialy...@hotmail.com>
An:     Jam Mulch <spammagne...@gmail.com>, Andreas Döhler
            <andreas.doeh...@gmail.com>,
            "checkmk-en@lists.mathias-kettner.de"
            <checkmk-en@lists.mathias-kettner.de>
Datum:  31.07.2017 17:15
Betreff:        Re: [Check_mk (english)] 'Visibility of Hosts/Services' for
            LDAP users
Gesendet von:   "checkmk-en"
            <checkmk-en-boun...@lists.mathias-kettner.de>



Thank you both,
Sounds like adjusting Roles & Permissions parameters per role is neat way
to go (will treat it as backup way). For some reason Visibility of the
hosts started to work exactly as Andreas said. As I’m testing this using
Vagrant environment then I assume something wasn’t right and restarting
environment corrected it. Thank you very much for your responses.

I would like to take this opportunity and check with experts whether my
LDAP integration setup will work. Any suggestion would be much appreciated.
I’m sure many of you have already established working structure. Would like
to learn from other’s experience first before committing my way into
production.
As I said in my setup each user is a member of three separate security
groups:
   1.   Group for granting access to Check_MK Front-end
   2.   Group mapping to roles (Check_MK permissions/visibility)
   3.   Group mapping to contact groups (Check_MK notification/visibility)

For details see my original post.
Wonder if 3 groups are not overkill.


Regards,

Rafal Bialek

From: Jam Mulch
Sent: 30 July 2017 12:31
To: Andreas Döhler; Rafal Bialek; checkmk-en@lists.mathias-kettner.de
Subject: Re: [Check_mk (english)] 'Visibility of Hosts/Services' for LDAP
users

That is the default. You can change that by going to
WATO -> Roles & Permissions -> user -> See all host and services

Change the setting from 'default (no)' to 'yes'.

The user will then be able to change the setting in their Edit User Profile
page
to see or hide hosts and services they are not a contact for.
On 7/30/2017 3:55 AM, Andreas Döhler wrote:
      Hi Rafal,

      if a user has only the role "user" assigned then he only sees hosts
      and services he is contact for.
      The special settings for "Visibility of Hosts/Services" is only
      needed if a user is member of admin or guest role as these roles see
      all objects.

      In my systems all new users get the role "user" assigned and then
      they see nothing without any contact groups.

      br
      Andreas

      Rafal Bialek <bialy...@hotmail.com> schrieb am Sa., 29. Juli 2017 um
      20:42 Uhr:

            Hello,

            I'm almost done with AD integration and management of Check_MK
            (Raw ver. 1.4.0p7)
            So far I have the following working:
            Users:
            - User is a member of AD Security Group (users dedicated group)
            - AD Security Group are mapped to WATO Role through user_dn and
            user_filter parameters of user_connections.mk

            Roles & Permissions:
            - User is a member of AD Security Group (role dedicated groups)
            - AD Security Groups are mapped to WATO Role through
            groups_to_roles parameter of user_connections.mk

            Contact Group:
            - User is a member of AD Security Group (contactgroup dedicated
            groups)
            - AD Security Groups are mapped to WATO Contact Groups through
            group_dn of user_connections.mk

            To summarize individual user is a member of three AD security
            groups
            1. User Group which authorize access to Check_MK
            2. Role group which decides what permission are allocated to
            users
            3. Contact group role which decides what user should see (if
            'Visibility of Hosts/Services' is turned on)

            I have also created mapping of host/service to contact groups
            and confirmed as working when enabling option 'Visibility of
            Hosts/Services' by editing properties of individual account.

            I would like the feature of 'Visibility of Hosts/Services' to
            be enabled by default when new user is added after syncing with
            AD. I thought this feature is enabled when checking option
            'Visibility of Hosts/Services' in 'Attribute Sync Plugins'
            section of LDAP connection. In user_connections.mk appers as
            'force_authuser': {} so expect some key-value items.
            How can I set default value of 'Visibility of Hosts/Services'
            to TRUE for every new user being added through LDAP
            synchronisation?



            Regards,

            Rafal Bialek

            _______________________________________________
            checkmk-en mailing list
            checkmk-en@lists.mathias-kettner.de
            http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en



      _______________________________________________
      checkmk-en mailing list
      checkmk-en@lists.mathias-kettner.de
      http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en

 _______________________________________________
checkmk-en mailing list
checkmk-en@lists.mathias-kettner.de
http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en
_______________________________________________
checkmk-en mailing list
checkmk-en@lists.mathias-kettner.de
http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en

Reply via email to