ACL Enterprise System

The Open Source ACL model is based on unix style: role/action/group/user (4 items).

The Enterprise ACL system allows defining -according to profile- which pages (defined one by one or by “groups”) have access users. This will allow you to redefine which sections of the interface a user can see. For example, allowing a user to view only the Group view and the Detailed agent view, skipping pages such as Alert view or Monitor view, already grouped in the system classic Pandora FMS ACL as AR (Agent Read Privileges).

This functionality allows you to restrict the administration by pages. It is very useful to allow some specific low-level operations.

In order to use the ACL Enterprise system, the first thing to do is to activate it in the configuration tab. This option is only visible if you are using the Enterprise version: Management menu → Setup → Setup → Enterprise, enable Use Enterprise ACL System → click Update button.

To configure the Enterprise ACL Enterprise system: Management → Profiles → Enterprise ACL Setup. In this screen you can add new items in the ACL System and see the items defined by profile. You can also delete items from the ACL Enterprise system.

/usr/share/pandora_server/util/pandora_manage.pl /etc/pandora_server.conf --disable_eacl

There are two ways to add pages to a profile: with the wizard (default) or with the custom edition. For this there is a button next to the Add button that toggles between Wizard and Custom.

With the wizard you will choose the sections and pages of some drop-down list controls.

To include a Pandora FMS page in the “allowed pages”, you must select the profile to which the rule will be applied, then select in the Section control the section that contains the desired page. At that time, you will be able to select in the Section 2 control any of your pages and it works the same way for Section 3.

Another option is to select a section and the value All in the Section control. This will allow the chosen profile to see “everything” of the chosen section. Also selecting All on both controls will allow users of that profile to see “all” of “all” sections, just as they would without the ACL Enterprise System for that profile.

Moving the pointer over any of the items will display the corresponding delete button.

To add single pages that are not accessible from the menu you can manually enter the corresponding sec2. To do this, the page to be added is accessed and the parameter is copied.other Section 2.

For example, to add the main view of the agents, you enter the view of any agent and you will find a URL similar to this:

http://localhost/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=7702

Enter the content of the sec2 parameter (operation/agents/ver_agent) in the Section 2 text box.

Any page that is limited will not be displayed in the menu and will not be allowed to be used, even when the user puts the URL in “manual” mode.

Any page not allowed by the “Classic” ACL system of Pandora FMS will not be allowed by the ACL Enterprise system (this is valid for the classic ACL system).

In addition, there is a control that checks if a page belongs to a section, which reinforces the security against manual modifications of the URL. This check will skip pages added with the custom editor, as well as access to each page in an entire section that is allowed access, thus optimizing loading.

You can check at any time the pages allowed for each profile using Filter by profile and then clicking the Filter button: