Actions within Zenoss are assigned permissions. For instance to access the device edit screen you must have the “Change Device” permission. Permissions are not assigned directly to a user since this would be difficult to manage. Instead, permissions are granted to roles, which are then assigned to a user. A common example is the ZenUser role in Zenoss Core. Its primary permission is “View,” which grants read-only access to all objects. ZenManagers have additional permissions such as “Change Device,” which grants them access to the device edit screen. In Zenoss Core, when you assign a role to a user using the Roles field on the Edit tab, it is “global." When creating a restricted user you may not want to give that user any global role.
Device ACLs provide limited control to various objects within the system. Administered objects are the same as the device organizers: Groups, Systems, and Locations and Devices. If access is granted to any device organizer, it flows down to all devices within that organizer. To assign access to objects for a restricted user, you must have the Manager or ZenManager roles. Zenoss grants access to objects is granted using the “Administered Objects” tab of a user or user group. To limit access, you must not assign a “global” role to the user or group.
Users and user groups work exactly as they would normally. See the section in the User Management section of the Administrator's guide for managing users and groups.
For each user or group there is a tab called “Administered Objects." The menu has an add item for each type of administered object. Adding an object will pull up a dialog box with live search on the given type of object. After an object has been added you can assign it a role. Roles can be different for each object so a user or group might have ZenUser on a particular device but ZenManager on a location organizer. If multiple roles are granted to a device though direct assignment and organizer assignment the resulting permissions will be additive. In the example above, if the device was within the organizer the user would inherit the ZenManager role on the device.
By default, the dashboard is configured with only three portlets:
Object Watch List
Device Issues
Production State
These have content that will be restricted to objects for a given user.
The device list is automatically filtered to devices of a restricted user scoped to accessible devices. There are no menu items available.
Device organizers control groups of devices for a restricted user. Every device added to the group will be accessible to the user. Permissions will be inherited down multiple tiers of a device organizer.