This blogpost is a followup to the blogpost Icinga Web permissions and restrictions (how do they work, examples). In Icinga web 2 version 2.9, there are two cool updates to Permissions and Restrictions, namely Role Inheritance and Permission Refusal as explained by Johannes in Web Access Control Redefined and also in https://icinga.com/docs/icinga-web-2/latest/doc/06-Security/. These two additions provide flexibility to manage web access control.
Requirement: Icinga Web2 version 2.9
In this blogpost I will illustrate these two additions in Icinga Web 2 Application.
Role inheritance allows us to inherit permissions and restrictions for modules from another role which is similar to the new role, but with few changes required. This is illustrated in this section.
- Login to Icinga Web 2 with admin credentials.
- Go to Configuration->Access Control->Users. Create users dave, jdoe and raj.
- Now, navigate to Configuration->Access Control->Roles.
- Create a new role monitoring-view-berlin, with basic monitoring permissions and host location restricted to Berlin. And add dave to this role.
Create one more role monitoring-support-berlin, inheriting the role monitoring-view-berlin and some additional important permissions for monitoring support. Add jdoe to this role.
Now, if you login with dave’s credentials you will be only able to view the monitored hosts and services with host location Berlin.
But if you login with jdoe’s credentials you will be also have additional permissions but the host location will still be restricted to Berlin as this role is inherited from monitoring-view-berlin.
Permission refusal is nothing but refusing permissions to a role. For example, say there are users with role to support monitoring. And now I need a user with a role to support monitoring, but does not want him to add comments to hosts or services. All I need to do is inherit the role configured to support monitoring and deny the permission to add comments to hosts or services. This is illustrated in this section.
Now create one more role, monitoring-no-comment-berlin; inheriting monitoring-support-berlin but permission to comment is denied. Add raj to this role.
Now login with raj’s credentials to verify his role. You will be able to see, that raj has no permission to add comments to hosts and services.
So, that’s it! Simple but a lot effective. Read the updated documentation to learn how to configure permission refusals in configuration file and more.