4 Replies Latest reply on Nov 4, 2014 3:19 PM by tsegismont

    Creating a "Monitor" role for all resources?

    pathduck

      Hi,

      I need some help creating a role for developers and others to have read-only permission in RHQ for all resources.

       

      I first created a Monitor Role and giving just Read on Inventory and so on, but apparently this mean they still cannot see any resources unless I manually assign resource groups to the role.

      This is something I really don't want to do - as it would mean I would need to constantly update what resources the user should access.

       

      I know the concept of a Resource Group is supposed to help with assigning only certain resources to users, for instance a project manager. But for some, like our "Test Team" needs to view all the resources in RHQ.

       

      So what is the best practice to create a Role that has Read access to all Inventory (servers, platforms, groups) items but not view on security and the likes?

       

      The system seems very flexible it just does not behave like I would expect it to.

       

      Stian

        • 1. Re: Creating a "Monitor" role for all resources?
          jayshaughnessy

          Stian,

           

          You're right, there is no view-all/read-only role built into RHQ.  There is an all-resources role but that is for full ability to do anything other than admin tasks.  At this point in time you have no choice, as far as I know, to create one, all encompassing group.  Perhaps do this with a recalculating dynagroup that selects all platforms and is recursive.

           

          A built-in, view-all-resources, role may be a good RFE.  Although I'm not sure about the likelihood of it being done, only because it may have too many touch points.  It would take some investigation to see whether there was a quick way to add that feature, I don't think so off the top of my head.

          1 of 1 people found this helpful
          • 2. Re: Creating a "Monitor" role for all resources?
            pathduck

            Thanks for the reply Jay.

             

            In the end I did the dynagroup workaround by defining groups for all Linux and all AS7. I couldn't figure out how to create a group containing "all" resources. Any pointers? Also, are Dynagroups considered resources so they would be included in "all"?

             

            One problem with the Dynagroup method is that it does not include groups, and we use groups a lot to logically organize servers into services and environments. So a user with "All Platforms" would not see these organized groups.

             

            Originally I figured that logically Read on Resources would mean "All resources" but I see now it needs to be done differently. I think a good option would be to have a Global -> View Resources permission for a role. Selecting this would allow the members to view all resources and groups.

             

            Stian

            • 3. Re: Creating a "Monitor" role for all resources?
              jayshaughnessy

              Stian, that's a a good point and a definite weakness in the dynagroup approach.  The user still only has access to groups assigned to his role.  There is no such thing as a "public" group, or something like that, and therefore unless you assign groups manually they won't be seen, including dynagroups.  So, in the end, it's still not a great workaround, it gives you only view to the resources, but none of the organizational help the groups would offer.  Of course group assignment is totally fundamental to the role-based-access-control of RHQ, so what you are looking for would have to be a special case.  Really what you are looking for is a new global permission, like ManageInventory but without the write permissions, truly a ViewInventory permission.

              • 4. Re: Creating a "Monitor" role for all resources?
                tsegismont

                Stian, how about running a CLI script from cron to setup you user/role requirements? It's not ideal of course, as you'll have to wait for the next execution schedule in case your inventory changes.