How to give a user access to all devices under a new tree

[pirx]

Hi,

maybe I'm just blind, but what is the simplest way to give a user the permission to view all devices under a specific tree?

I created a new tree, and added a couple of devices to it. Then I created a new user and gave him only permissions to 'View Graphs' at the Realm Permissions. After that I changed all default Graph Permissions to 'deny', only the 'Tree Permission' for the specific tree to allow.

This didn't work, the user has no access to any device under this tree. If I set all permissions for hosts under that tree to allow (Graph Permissions (By Host)), everything is fine. But I have to do this for every host, and if a new device is added to the tree, I have to remember to adjust the permissions for the user.

Is there a better/faster way to do this?

Ralf

[fmangeant]

Is there a better/faster way to do this?

Hi

I usually create users using these default policies :
- Graph Permissions (By Graph) = ALLOW
- Graph Permissions (By Host) = ALLOW
- Graph Permissions (By Graph Template) = ALLOW
- Tree Permissions = DENY

And then I add trees one by one.

[pirx]

Is there a better/faster way to do this?

Hi

I usually create users using these default policies :
- Graph Permissions (By Graph) = ALLOW
- Graph Permissions (By Host) = ALLOW
- Graph Permissions (By Graph Template) = ALLOW
- Tree Permissions = DENY

And then I add trees one by one.

That was the first thing I tried. But then the user can see all other hosts/graphs by viewing the graphs by 'List View' or 'Preview View" in the above right corner! I discovered this by accident and was a bit suprised...

Even if I give him only the right to 'User Has Rights to Tree View' in user managemant, he still can change the URL to point to another graph or host!

For example, it is still possible to acces this graph

http://myhost/cacti/graph.php?local_gra ... rra_id=all

even though the user has no access to the tree!

Ralf

[fmangeant]

That was the first thing I tried. But then the user can see all other hosts/graphs by viewing the graphs by 'List View' or 'Preview View" in the above right corner! I discovered this by accident and was a bit suprised...

You're right - I forgot to mention that I allow only the "Preview View" for my customers.

[pirx]

That was the first thing I tried. But then the user can see all other hosts/graphs by viewing the graphs by 'List View' or 'Preview View" in the above right corner! I discovered this by accident and was a bit suprised...

You're right - I forgot to mention that I allow only the "Preview View" for my customers.

I've tried to reproduce that. If I give a user the right on one tree and 'Preview View' as Graph option, he is able to see all graphs.

In 'Graph Permissions' I set all default policies to deny, only permissions for one tree to allow and in 'Realm Permissions' I only activated 'User Has Rights to Preview View '.

If the User then logs in, he is in 'Preview View' and can see all graphs! Maybe I'm doing something wrong, but I can't see, how this should restrict a user to just on tree and the corresponding devices/graphs.

Ralf

[krackerbelin]

That was the first thing I tried. But then the user can see all other hosts/graphs by viewing the graphs by 'List View' or 'Preview View" in the above right corner! I discovered this by accident and was a bit suprised...

I just look at the code of version 0.8.6c and that the normal behaviour. Tree permissions only affect "tree mode" view.

You have to use a deny default policy for hosts and add manually the hosts the user has access to.

FYI I've the same problem with more that 100 hosts per tree node...and i found no solution except to add the 100 hosts manually in the policy...

[pirx]

I just look at the code of version 0.8.6c and that the normal behaviour. Tree permissions only affect "tree mode" view.

You have to use a deny default policy for hosts and add manually the hosts the user has access to.

FYI I've the same problem with more that 100 hosts per tree node...and i found no solution except to add the 100 hosts manually in the policy...

You are right, that's a bit annoying. It would be so easy, if a user that has access to a tree has access to all devices and graphs too. It's very boring to add the permissions for many devices...

Ralf