Access control list¶
Access control lists (ACL) serve to limit users’ access to the web interface Centreon via miscellaneous rules. The ACL are also used to create multiple user profiles making possible to focalise on a precise set of resources.
Note
The management of access checks is a function specific to Centreon, the export of the configuration to the monitoring engine is not necessary to enable them.
Access groups are groups containing the Centreon users. For each access group, it is possible to define three types of access:
Access filters to resources serve to limit access to Centreon objects (hosts, services, etc.)
Access filters to menus serve to limit access to Centreon menus
Access filters on actions serve to limit access to actions that the user can undertake on a monitoring engine or on the resources themselves (program a downtime, stop a monitoring engine, etc.)
Note
A user can belong to several access groups thus making it possible to add together all the access authorizations.
The ACLs respect very strict rules:
Centreon administrators are not subject to ACLs (property of the contact).
A user (non-administrator) who does not belong to any access group has no right on the monitoring platform (screen empty after logging in).
The ACLs are recalculated every minute; this why it is sometimes necessary to wait a few seconds before seeing the change applied to the profile.
Note
The addition of additional modules to Centreon sometimes makes it possible to add additional filters to the access groups. E.g.: Centreon modules BI, BAM and MAP can be subjected to filters.
Access groups¶
To add an access group:
Go into the menu: Administration ==> ACL
Click on Add
General information¶
The Group Name and Alias fields define the name and the alias of the group
The Linked Contacts list can be used to link contacts to the access group
The Linked Contact Groups list can be used to link groups of contacts to the access group
The Status field can be used to enable or disable the access group
Note
The contact group can be groups coming from the LDAP directory connected to the Centreon interface.
Groups created in Centreon interface should not have the same name as LDAP groups to avoid problems.
Authorizations information¶
The lists presented in this tab can be used to link the various types of access already created to the access group.
Resources Access¶
The access filters for the resources serve to limit the viewing of objects (hosts, host groups, services and service groups) to a user profile.
To add resources access filter:
Go into the menu: Administration ==> ACL
In the left menu, click on Resources Access
Click on Add
Note
Once the filters on the resources are set, you can to view the result via the menu: Check User View, next to the add option.
General information¶
The Access list name and Description fields define the name and the description of the filter
The Linked groups list can be used to link access groups to this resource filter
The Status and Comments fields serve to enable / disable the filter and to comment on it
Hosts Resources¶
The Hosts Resources tab enables us to add:
Hosts
Host groups
If the Include all hosts or Include all hostgroups box is checked, all newly created objects will be added to the filter automatically.
Note
It is possible to explicitly exclude hosts from the filter (useful in cases where only 1 or 2 hosts must not be part of the filter) if Include all hosts* or Include all hostgroups options are checked.
Services Resources¶
The Services Resources tab can be used to add service groups to the filter.
Meta Services¶
The Meta-Services tab can be used to add meta-services to the filter.
Filters¶
The Poller Filter list can be used to select the hosts according to monitoring poller (if none is selected all the pollers are taken into account)
The Host Category Filter list can be used to filter the hosts by category
The Service Category Filter list can be used to filter the services by category
Warning
The filters by poller or by category of object are inclusion filters (UNION). Only the objects belonging to these filters in addition to groups of objects (hosts and services) will be visible.
Actions Access¶
Filters on actions enable us to limit access to actions that can be effective on resources (hosts and services) and on monitoring engines (stopping notifications, restarting the scheduler, etc.).
To add an access filter to the actions:
Go into the menu: Administration ==> ACL
In the left menu, click on Actions Access
Click on Add
The Action Name and Description fields contain the name of the filter and its description
The Linked Groups list serves to associate an access group to the filter
The table below describes the general access functionalities:
Field |
Associated actions |
---|---|
Display Top Counter |
The monitoring overview will be displayed at the top of all pages |
Display Top Counter pollers statistics |
The monitoring poller status overview will be displayed at the top of all pages. |
Display Poller Listing |
The poller filter will be available to users in the monitoring consoles |
The table below describes all the actions that can be authorized on the scheduler:
Field |
Associated actions |
---|---|
Shutdown Monitoring Engine |
Allows users to stop the monitoring systems |
Restart Monitoring Engine |
Allows users to restart the monitoring systems |
Enable/Disable notifications |
Allows users to enable or disable notifications |
Enable/Disable service checks |
Allows users to enable or disable service checks |
Enable/Disable passive service checks |
Allows users to enable or disable passive service checks |
Enable/Disable passive host checks |
Allows users to enable or disable passive host checks |
Enable/Disable Event Handlers |
Allows users to enable or disable event handlers |
Enable/Disable Flap Detection |
Allows users to enable or disable flap detection |
Enable/Disable Obsessive service checks |
Allows users to enable or disable obsessive service checks |
Enable/Disable Obsessive host checks |
Allows users to enable or disable obsessive host checks |
Enable/Disable Performance Data |
Allows users to enable or disable performance data processing |
The table below describes all the actions that can be authorized on services:
Field |
Associated actions |
---|---|
Enable/Disable Checks for a service |
Allows users to enable or disable checks of a service |
Enable/Disable Notifications for a service |
Allows users to enable or disable notifications of a service |
Acknowledge a service |
Allows users to acknowledge a service |
Re-schedule the next check for a service |
Allows users to re-schedule next check of a service |
Re-schedule the next check for a service (Forced) |
Allows users to re-schedule next check of a service by placing its priority to the top |
Schedule downtime for a service |
Allows users to schedule downtime on a service |
Add/Delete a comment for a service |
Allows users to add or delete a comment of a service |
Enable/Disable Event Handler for a service |
Allows users to enable or disable the event handler processing of a service |
Allows users to enable or disable flap detection of a service |
Allows users to enable or disable flap detection of a service |
Enable/Disable passive checks of a service |
Allows users to enable or disable passive checks of a service |
Submit result for a service |
Allows users to submit result to a service |
|
Allow the display of the executed command for a service |
The table below describes the all the actions that can be authorized on hosts:
Field |
Associated actions |
---|---|
Enable/Disable Checks for a host |
Allows users to enable or disable checks of a host |
Enable/Disable Notifications for a host |
Allows users to enable or disable notifications of a host |
Acknowledge a host |
Allows users to acknowledge a host |
Disaknowledge a host |
Allows users to disacknowledge a host |
Schedule the check for a host |
Allows users to re-schedule next check of a host |
Schedule the check for a host (Forced) |
Allows users to re-schedule next check of a host by placing its priority to the top |
Schedule downtime for a host |
Allows users to schedule downtime on a host |
Add/Delete a comment for a host |
Allows users to add or delete a comment of a host |
Enable/Disable Event Handler for a host |
Allows users to enable or disable the event handler processing of a host |
Enable/Disable Flap Detection for a host |
Allows users to enable or disable flap detection of a host |
Enable/Disable Checks services of a host |
Allows users to enable or disable all service checks of a host |
Enable/Disable Notifications services of a host |
Allows users to enable or disable service notifications of a host |
Submit result for a host |
Allows users to submit result to a host |
The Status field is used to enable or disable the filter
Reload ACL¶
It is possible of reload the ACLs manually:
Go into the menu: Administration ==> ACL
In the left menu, click on Reload ACL
Select the user(s) you want to reload the ACL
In the More actions menu, click on Reload ACL