Advanced ACL System

Introduction

The ACL model is based on Unix® style:

role/action/group/user (4 items).

The ACL Advanced system allows defining —based on profile— which pages (defined individually or by “groups”) users have access to. This will allow redefining which interface sections a user can see.

The superadmins are exempt from ACL control; other users are bound by ACL, even if they have the Pandora Administrator (Pandora FMS Administrator) profile assigned.

This functionality allows restricting administration by pages. It is very useful for allowing some specific low-level operations.

Both models are parallel and compatible. The classic ACL system is complementary and is evaluated before the ACL Advanced system.

Configuration

In order to use the ACL Advanced system, the first step is to activate it in the configuration tab:

Nodes:
menu Management → Settings → System Settings → General Setup → Features → Use Advanced ACL System, activate and then click the Update button.

Command Center:
menu Setup → Metasetup → Use Advanced ACL System, activate and then click the Update button.

In Command Center, and each of the nodes, the use and configuration of the ACL Advanced system is completely independent of each other.

To configure the ACL Advanced system:

Nodes:
Menu Management → Profiles → Advanced ACL Setup.

Command Center:
menu Centralised → Management → Advanced ACL Setup.

In this screen, you can add new elements and see the items already defined by profile. You can also delete items from the ACL Advanced system.

If the ACL Advanced system is activated, ALL pages are restricted to ALL groups (including Administrator) to all pages defined (allowed) in the ACL Advanced system. If a user with the Administrator profile has no pages included in the ACL Advanced system, they will not be able to see anything either.

Special care must be taken with this because you may lose access to the console if you activate an inappropriate ACL Advanced configuration for your own user.

If web Console access has been lost by mistake, you can deactivate the ACL Advanced system from the PFMS command line with the disable_eacl instruction.

Operation

There are two modes to add pages to a profile: with the wizard (by default) or with custom edition. To do this, there is a button next to the Add button that toggles between Wizard and Custom.

Wizard

With the wizard, sections and pages will be chosen from dropdown list controls.

The pages that appear in these dropdown lists are only those accessible from the menu. To give access to pages accessed in another way (for example, the main agent view), the custom editor must be used.
All menu options are shown, regardless of whether the selected profile has access to them. Adding a menu option to which a profile does not have access will not make that item appear in the menu.
Always the default profile in the dropdown list under User profile is Chief Operator and it must be changed before adding permission to another profile.

To include a Pandora FMS page in the “allowed pages”, the profile to which the rule will apply must be selected, then select in the Section control the section containing the desired page. At that time, you can select any of its pages in the Section 2 control, and it works the same way for Section 3.

Another option is to select a section and the All value in the Section control. This will allow the chosen profile to see “everything” in the chosen section. Similarly, selecting All in both controls will allow users of that profile to see “everything” in “all” sections, just as it would be without the ACL Advanced system for that profile.

When moving the pointer over any of the items, the corresponding delete button will be displayed.

For a section to be displayed in the menu, the user must have access to at least the first page of the section.

Custom edition

To add individual pages that are not accessible from the menu, you can manually enter the corresponding sec2. To do this, access the page to be added and copy the Section 2 parameter.

For example, to add the main view of agents, go into the view of any agent and you will find a URL similar to this:

…/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=7702

Enter the content of the sec2 parameter (operation/agentes/ver_agente) in the Section 2 text box.

For an “individual” page, the user will need the URL; otherwise, permission must be granted to the corresponding menu. In the previous example image, the Operator (read) profile was granted access to Monitoring (Section), Views (Section 2), Agent detail (Section 3).

Security

Any page that is limited will not be shown in the menu and its use will not be allowed, even if the user enters the URL “manually”.

Any page not allowed by the “Classic” Pandora FMS ACL system will not be allowed by the ACL Advanced system (this is valid for the classic ACL systems).

Additionally, there is a control that checks if a page belongs to a section, which reinforces security against manual URL modifications. This check will skip pages added with the custom editor, as well as access to each page of a full section to which access is allowed, thus optimizing the load.

Allowed pages for each profile can be consulted at any time using Filter by profile and then pressing the Filter button:

In order for users to access and change their own user data, they must be granted access to Workspace | Edit my user | All.
So they can generate their own tokens: Workspace | Edit my Tokens | All.
So they can read their notifications: Workspace | Messages | All. If, in addition, they need to reply to a message from another user, it must be added in “Custom edition”, in the sec2 parameter: operation/messages/message_edit.

←Back to Pandora FMS documentation index

Table of Contents