3 User groups
원본 보기3 사용자 그룹
개요
사용자 그룹을 사용하면 조직적 목적과 데이터에 대한 권한 할당을 위해 사용자를 그룹화할 수 있습니다. 호스트 그룹과 템플릿 그룹의 데이터 보기 및 구성 권한은 개별 사용자가 아닌 사용자 그룹에 할당됩니다.
한 사용자 그룹에서 사용할 수 있는 정보와 다른 그룹에서 사용할 수 있는 정보를 분리하는 것이 종종 합리적일 수 있습니다. 이는 사용자를 그룹화한 다음 호스트 및 템플릿 그룹에 다양한 권한을 할당함으로써 달성할 수 있습니다.
사용자는 원하는 수만큼의 그룹에 속할 수 있습니다.
Configuration
To configure a user group:
- Go to Users → User groups
- Click on Create user group (or on the group name to edit an existing group)
- Edit group attributes in the form
The User group tab contains general group attributes:
All mandatory input fields are marked with a red asterisk.
| Parameter | Description |
|---|---|
| Group name | Unique group name. |
| Users | To add users to the group start typing the name of an existing user. When the dropdown with matching user names appears, scroll down to select. Alternatively you may click the Select button to select users in a popup. |
| Frontend access | How the users of the group are authenticated. System default - use default authentication method (set globally) Internal - use Zabbix internal authentication (even if LDAP authentication is used globally). Ignored if HTTP authentication is the global default. LDAP - use LDAP authentication (even if internal authentication is used globally). Ignored if HTTP authentication is the global default. Disabled - access to Zabbix frontend is forbidden for this group |
| LDAP server | Select which LDAP server to use to authenticate the user. This field is enabled only if Frontend access is set to LDAP or System default. |
| Multi-factor authentication | Select which multi-factor authentication method to use to authenticate the user: Default - use the method set as default in MFA configuration; this option is selected by default for new user groups if MFA is enabled; <Method name> - use selected method (for example, "Zabbix TOTP"); Disabled - MFA is disabled for this group; this option is selected by default for new user groups if MFA is disabled. Note that if a user belongs to multiple user groups with MFA enabled (or at least one group has MFA enabled), the following authentication rules apply: if any group uses the "Default" MFA method, it will authenticate the user; otherwise, the first method (ordered alphabetically) will be used for authentication. |
| Enabled | Status of user group and group members. Checked - user group and users are enabled Unchecked - user group and users are disabled |
| Debug mode | Mark this checkbox to activate debug mode for the users. |
The Template permissions tab allows specifying user group access to template group (and thereby template) data:
The Host permissions tab allows specifying user group access to host group (and thereby host) data:
Click on 
to choose the template/host groups
(be it a parent or a nested group) and assign permissions to those. Start typing the group name
(a dropdown of matching groups will appear) or click on Select for a popup window listing all groups to be opened.
Then use the option buttons to assign permissions to the chosen groups. Possible permissions are the following:
- Read-write - read-write access to a group;
- Read - read-only access to a group;
- Deny - access to a group denied.
If the same template/host group is added in several rows with different permissions set, the strictest permission will be applied.
Note that a Super admin user can enforce nested groups to have the same level of permissions as the parent group; this can be done in the host/template group configuration form.
Template permissions and Host permissions tabs support the same set of parameters.
Current permissions to groups are displayed in the Permissions block, and those can be modified or removed.
If a user group has Read-write permissions to a host and Deny or no permissions to a template linked to this host, the users of such group will not be able to edit templated items on the host, and template name will be displayed as Inaccessible template.
The Problem tag filter tab allows setting tag-based permissions for user groups to see problems filtered by tag name and value:
Click on to choose the host groups.
To select a host group to apply a tag filter for, click Select to get
the complete list of existing host groups or start typing the name of a
host group to get a dropdown of matching groups. Only host groups will be
displayed, because problem tag filter cannot be applied to template groups.
Then it is possible to switch from All tags to Tag list in order to set particular tags and their values for filtering.
Tag names without values can be added, but values without names cannot. Only the first three tags (with values, if any)
are displayed in the Permissions block; if there are more, those can be seen by clicking or hovering over the 
icon.
Tag filter allows separating the access to host group from the possibility to see problems.
For example, if a database administrator needs to see only "MySQL" database problems, it is required to create a user group for database administrators first, then specify "target" tag name and "mysql" value.
If "target" tag name is specified and value field is left blank, the user group will see all problems with tag name "target" for the selected host group. If All tags is selected, the user group will see all problems for the specified host group.
Make sure tag name and tag value are correctly specified, otherwise, the user group will not see any problems.
Let's review an example when a user is a member of several user groups selected. Filtering in this case will use OR condition for tags.
| User group A | User group B | Visible result for a user (member) of both groups | ||||
| Tag filter | ||||||
| Host group | Tag name | Tag value | Host group | Tag name | Tag value | |
| Databases | target | mysql | Databases | target | oracle | target:mysql or target:oracle problems visible |
| Databases | set to: All tags | Databases | target | oracle | All problems visible | |
| Not configured in the Problem tag filter | Databases | target | oracle | target:oracle problems visible | ||
Adding a filter (for example, all tags in a certain host group "Databases") results in not being able to see the problems of other host groups.
Access from several user groups
A user may belong to any number of user groups. These groups may have different access permissions to hosts or templates.
Therefore, it is important to know what entities an unprivileged user will be able to access as a result. For example, let us consider how access to host X (in Hostgroup 1) will be affected in various situations for a user who is in user groups A and B.
- If Group A has only Read access to Hostgroup 1, but Group B Read-write access to Hostgroup 1, the user will get Read-write access to 'X'.
"Read-write" permissions have precedence over "Read" permissions.
- In the same scenario as above, if 'X' is simultaneously also in Hostgroup 2 that is denied to Group A or B, access to 'X' will be unavailable, despite a Read-write access to Hostgroup 1.
- If Group A has no permissions defined and Group B has a Read-write access to Hostgroup 1, the user will get Read-write access to 'X'.
- If Group A has Deny access to Hostgroup 1 and Group B has a Read-write access to Hostgroup 1, the user will get access to 'X' denied.
기타 세부사항
- 호스트에 대해 읽기-쓰기 액세스 권한을 가진 Admin 레벨 사용자는 템플릿 그룹에 대한 액세스 권한이 없는 경우 템플릿을 연결/해제할 수 없습니다. 템플릿 그룹에 대해 읽기 액세스 권한이 있으면 호스트에 템플릿을 연결/해제할 수 있지만, 템플릿 목록에서 템플릿을 볼 수 없고 다른 곳에서 템플릿을 조작할 수 없습니다.
- 호스트에 대해 읽기 액세스 권한을 가진 Admin 레벨 사용자는 설정 섹션의 호스트 목록에서 해당 호스트를 볼 수 없습니다. 하지만 호스트 트리거는 IT 서비스 설정에서 액세스할 수 있습니다.
- Super Admin이 아닌 사용자('guest' 포함)라도 맵이 비어있거나 이미지만 있는 경우 네트워크 맵을 볼 수 있습니다. 맵에 호스트, 호스트 그룹 또는 트리거가 추가되면 권한이 적용됩니다.
- Zabbix server는 해당 호스트에 대한 액세스가 명시적으로 "거부"된 경우 액션 작업 수신자로 정의된 사용자에게 알림을 보내지 않습니다.