ACL Enterprise System
We are working on the translation of the Pandora FMS documentation. Sorry for any inconvenience.
Introduction
The Open Source ACL model is based on unix style:
role/action/group/user
(4 items).
The Enterprise ACL system allows defining -according to profile- which pages (defined one by one or by “groups”) have access users. This will allow you to redefine which sections of the interface a user can see. For example, allowing a user to view only the Group view and the Detailed agent view, skipping pages such as Alert view or Monitor view, already grouped in the system classic Pandora FMS ACL as AR
(Agent Read Privileges).
superadmin are exempt from ACL control, other users are bound by ACL, even if they have the Pandora Administrator profile (Pandora FMS Administrator ) assigned.
This functionality allows you to restrict the administration by pages. It is very useful to allow some specific low-level operations.
Both models are parallel and compatible. The classic ACL system is complementary to, and is evaluated before, the ACL Enterprise system.
Settings
In order to use the ACL Enterprise system, the first thing to do is to activate it in the configuration tab. This option is only visible if you are using the Enterprise version: Management menu → Setup → Setup → Enterprise, enable Use Enterprise ACL System → click Update button.
To configure the Enterprise ACL Enterprise system: Management → Profiles → Enterprise ACL Setup. In this screen you can add new items in the ACL System and see the items defined by profile. You can also delete items from the ACL Enterprise system.
If the ACL Enterprise system is activated, ALL pages to ALL groups (Administrator included) are restricted to all pages defined (allowed) in the ACL Enterprise system. If a user with the Administrator profile does not have pages included in the ACL Enterprise system, they will not be able to see anything.
Please be careful with this because you may lose access to the console if you activate the wrong ACL Enterprise configuration for your user.
If you have inadvertently lost access to the Console, you can deactivate the ACL Enterprise system from the command line:
/usr/share/pandora_server/util/pandora_manage.pl /etc/pandora_server.conf --disable_eacl
Operation
There are two ways to add pages to a profile: with the wizard (default) or with the custom edition. For this there is a button next to the Add button that toggles between Wizard and Custom.
Wizard
With the wizard you will choose the sections and pages of some drop-down list controls.
- The pages that appear in these dropdown lists are only those accessible from the menu. To give access to pages that are otherwise accessed (for example, the main agent view) you must use the custom editor.
- All menu options are displayed, regardless of whether the selected profile has access to them. Adding a menu option to which a profile does not have access will not cause that item to appear in the menu.
- Always the default profile in the drop down list under User profile is
Chief Operator
, this should always be changed before adding permission to another profile.
To include a Pandora FMS page in the “allowed pages”, you must select the profile to which the rule will be applied, then select in the Section control the section that contains the desired page. At that time, you will be able to select in the Section 2 control any of your pages and it works the same way for Section 3.
Another option is to select a section and the value All in the Section control. This will allow the chosen profile to see “everything” of the chosen section. Also selecting All on both controls will allow users of that profile to see “all” of “all” sections, just as they would without the ACL Enterprise System for that profile.
Moving the pointer over any of the items will display the corresponding delete button.
For a section to be displayed in the menu, the user must have access to at least the first page of the section.
Custom Edition
To add single pages that are not accessible from the menu you can manually enter the corresponding sec2. To do this, the page to be added is accessed and the parameter is copied.other Section 2.
For example, to add the main view of the agents, you enter the view of any agent and you will find a URL similar to this:
http://localhost/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=7702
Enter the content of the sec2 parameter (operation/agents/ver_agent
) in the Section 2 text box.
For a “drop” page the user will need the URL, otherwise permission must be granted to the corresponding menu. In the image of the previous example, the Operator (read) profile was added access to Monitoring (Section), Views (Section 2), Agent detail (Section 3).
Security
Any page that is limited will not be displayed in the menu and will not be allowed to be used, even when the user puts the URL in “manual” mode.
Any page not allowed by the “Classic” ACL system of Pandora FMS will not be allowed by the ACL Enterprise system (this is valid for the classic ACL system).
In addition, there is a control that checks if a page belongs to a section, which reinforces the security against manual modifications of the URL. This check will skip pages added with the custom editor, as well as access to each page in an entire section that is allowed access, thus optimizing loading.
You can check at any time the pages allowed for each profile using Filter by profile and then clicking the Filter button:
In order for users to be able to change their own user data, they must be granted access to Profile | Configure user | All .