Administration Guide
Note
This feature is available only with Zenoss Enterprise.
The Device Access Control List (ACL) Enterprise ZenPack (ZenDeviceACL) adds fine-grained security controls to Zenoss. For example, this control can be used to give limited access to certain departments within a large organization or limit a customer to see only his own data. A user with limited access to objects also has a more limited view of features within the system. As an example, most global views, such as the network map, event console, and all types of class management, are not available. The Device List is available, as are the device organizers Systems, Groups, and Locations. A limited set of reports can also be accessed.
Following are key elements of device ACLs.
Actions within Zenoss are assigned permissions. For instance to access the device edit screen you must have the “Change Device” permission. Permissions are not assigned directly to a user since this would be difficult to manage. Instead, permissions are granted to roles, which are then assigned to a user. A common example is the ZenUser role in Zenoss Core. Its primary permission is “View,” which grants read-only access to all objects. ZenManagers have additional permissions such as “Change Device,” which grants them access to the device edit screen. The Device ACL ZenPack has the role ZenRestrictedManager, which allows a more limited set of device edit functions. In Zenoss Core, when you assign a role to a user using the Roles field on the Edit tab, it is “global." When creating a restricted user you may not want to give that user any global role.
Device ACLs provide limited control to various objects within the system. Administered objects are the same as the device organizers: Groups, Systems, and Locations and Devices. If access is granted to any device organizer, it flows down to all devices within that organizer. To assign access to objects for a restricted user, you must have the Manager or ZenManager roles. Zenoss grants access to objects is granted using the “Administered Objects” tab of a user or user group. To limit access, you must not assign a “global” role to the user or group.
Users and user groups work exactly as they would normally. See the section in the User Management section of this guide dealing with users and groups.
For each user or group there is a tab called “Administered Objects." The menu has an add item for each type of administered object. Adding an object will pull up a dialog box with live search on the given type of object. After an object has been added you can assign it a role. Roles can be different for each object so a user or group might have ZenUser on a particular device but ZenManager on a location organizer. If multiple roles are granted to a device though direct assignment and organizer assignment the resulting permissions will be additive. In the example above, if the device was within the organizer the user would inherit the ZenManager role on the device.
Refer to the following examples for setup and configuration steps.
As admin or any user account with Manager or ZenManager role, create a user named acltest. Set a password for the user.
From the user’s Edit tab, make sure that no role is assigned.
Select the user’s “Administered Objects” tab.
From, the menu, select the “Add Device…” item and add an existing device to that user.
The device’s role will default to ZenUser.
Log out of your browser, or open a second browser and then log in as acltest.
Click on the “Device List”.
You should see only the device you assigned to acltest.
Navigate to the device and notice that the Edit tab is not available. This is because you are in read-only mode for this device.
Following the example above:
Change the acltest user’s role to “ZenManager” on the device. ( You must to do this as a user with ZenManager global rights.)
Go back to the acltest user “Administered Objects” tab and set the role on the device to ZenManager.
As acltest, navigate back to the device. You now have access to the Edit tab.
Go to the Groups root and create a group called “RestrictGroup."
Go to the acltest user’s Administered Objects tab and add the group to the user.
Logged in as acltest, notice that the Navigation menu has the Groups item. Group can be added to a user.
Place a device within this group and as acltest you should not only see the device within the group but also in the device list
Give the acltest user ZenManager on your restricted group.
As acltest, you can now add sub-organizers under the restricted group.
By default, the dashboard is configured with only three portlets:
Object Watch List
Device Issues
Production State
These have content that will be restricted to objects for a given user.
The device list is automatically filtered to devices of a restricted user scoped to accessible devices. There are no menu items available.
Device organizers control groups of devices for a restricted user. Every device added to the group will be accessible to the user. Permissions will be inherited down multiple tiers of a device organizer.