Hey Matthias. > Am 18.08.2015 um 17:45 schrieb Matthias Jentsch <[email protected]>: > > what you can do is create a role that imposes a very strict filter on > all users and groups and just make sure that any new user is a member of > it. As described in the chapter about stacking different filters ( > https://github.com/Icinga/icingaweb2/blob/master/doc/security.md#stacking-filters > ), additional filters can be used to give the permissions back to > certain users or user groups.
I can see that this behavior makes sense from a „easy access“ point of view. It does not however from a security point. We are authenticating against Active Directory for example with about some thousand users in AD. AD is managed by another team, but I would like to have that "anybody" isn’t able to see any host or service in icingaweb2, only when a role is (locally) assigned to the account. I can’t see a way to define a role that does not depend on AD group membership and will restrict the access to all objects. Furthermore roles are additive: When a user has more than one role assigned the permissions of the roles are added. In my eyes it’s more intuitive when starting wit no permissions at all. Just my two €-Cent ... Regards — Jan Dreyer IT Administrator — Operations — A-SCM-IT IOX Expert This email may contain confidential and/or privileged information. If you are not the intended recipient (or have received this email in error) please notify the sender immediately and destroy this email. Any unauthorized copying, disclosure or distribution of the information in this email is strictly forbidden. _______________________________________________ icinga-users mailing list [email protected] https://lists.icinga.org/mailman/listinfo/icinga-users
