I have created a ticket for this  - http://dev.zenoss.com/trac/ticket/7838 .

Cheers,

Jane

More updates on this subject and  I have opened another 3 tickets.  I think we have several interacting issues here.

One issue, as stated above, is that sometimes the device counts against the left-hand menu items are incorrect.  A side effect of this seems to be that the Event Console for on organizer (like a Location, for example) is sometimes empty.  This is the Event Console that you reach by using the left-hand menu to select, say, a specific Location, use the DETAILS link at the top of the LH menu and select Events.  I have opened ticket http://dev.zenoss.com/trac/ticket/7849 for this.  This is independent of anything to do with Administered Objects.

In the earlier append, I hadn't tested whether events could be Acknowledged or Closed.  I want to ensure this is possible for devices that are specified for a user (or the group of that user) in Administered Objects.

After further experimentation, I have abandoned the strategy of giving a user NO global role.  It does hide from the user anything that is not explicitly included in an Administerd Object (AO) BUT:

1) You can't see a detailed event view for any events.  If you go to the event console for a device that is specified in an AO and the AO has the Manager role (and it MUST be the Device Event Console - not a group / system / location / global event console) - then you can see the line-by-line events for that device but double-clicking on an event to get to the detail, results in a Zenoss login screen - not sufficient permission.    You don't seem to inherit this permission from the Adminstered Object configuration - you have to have at least the View permission globally to see event details.

2) Similarly, without a global View permission, you don't see anything useful in the left-hand graphs menu for a device - you see the graph headers but no data

3) Similarly, without a global View permission, you don't see any Reports at all

4) There doesn't appear to be enough granularity in the Zenoss permissions to separate different "View"s.  If there was a View Events, View Graphs, View Reports, then that would be easy . Look at the permissions from http://<your zenoss>:8080/zport/manage_access .

So, abandon no global role.  You can use the global role of ZenUser or create your own.

So assume you have a user, c1, in a group c1Group with ZenUser global role.  Create an Administered Object for the c1Group based on an existing Location - /Locations/VM-land is my example - which contains some real Linux systems and some emulated Network devices, some of which have outstanding events.  Give the AO the Manager role.  Logoff c1 and log back on. Navigate to the main page for a device in your Location and go to the Events page.  Try to Ack or  Close an event - you can't do it.

Create another AO, this time based either on specific device or device class, and give it Manager role.  Logoff / logon.  Navigate to the main page for a device in this AO - Ack and Close works. Note that it MUST be the Device Event Console - not a group / system / location / global event console - you won't be able to Ack or Close anywhere other than the Event LH menu for a device.  So we have a bug where Event access based on Locations (and its also true for Groups and Systems) doesn't work.  I have raised ticket http://dev.zenoss.com/trac/ticket/7848 for this.

Another thing I want to do is add to the Log of an event.  This used to be possible with Zenoss 2.5 if you had the "Manage Events" permission (which the Manager role has by default).  You can see the Log of any event that you are allowed to see by double-clicking the event, but even if you have an AO that allows you to Ack / Close an event, it still won't let you add to the Log.  You need a global Manage Events permission - again the permission from the Administered Object is not being applied to the action of adding to the Log of an event (there is a separate permission "Log to the Event Log" but this doesn't seem to help.  It's not allocated by default to any role and allocating it doesn't help).  I have raised this as http://dev.zenoss.com/trac/ticket/7850 .

Other glitches that I haven't yet raised as bugs - they are more "essential enhancement requests"  - are associated with the Event Console reached from the Events menu of a device's details page:

1) There is no UnAcknowledge icon on a device's event console - only on a global event console

2) There is no ReOpen icon on a device's history event console - only on a global history event console

3) There are no filters available when viewing a devices Event Console or History Event Console, as there are with the global consoles

If we can get the above bugs fixed, then a user will probably end up working with a device Event Console so these user limitations will become significant.

I would REALLY appreciate someone else verifying these bugs, especially 7848 about Administered Object permissions not applying if based on Locations / Groups / Systems.  If this doesn't work then it makes a nonsense of the whole concept.  There are "Steps to reproduce" in the ticket but please ask if you want more detail.  I am working with a Zenoss 3.1 32-bit SuSe stack build on Open SuSE 11.4 so anyone with a different platform would be really good.

I really don't see why we should buy Zenoss Enterprise to get the ACL ZenPack (which I believe achieves this granular user role stuff), when the functionality in Core is so broken!

Cheers,

Jane

OK. I now have a test ZenPack that works around most of the bugs documented in this thread.

It creates a new role, ZenOperator, that has the normal ZenUser permissions plus "Manage Events" which lets a user Ack / Close events.

If you create an Administered Object that is an Organizer (device class, location, system or group) then the role of that Administered Object is propagated to all devices in the Organizer.

If you combine this ZenPack with a user that has No role, you can achieve a user that ONLY sees Organizers and devices configured for them through Administered Objects.  They can Ack / Close events.  They can see the usual stuff for devices.  By default, they CANNOT see any graphs.  This needs an extra hack of $ZENHOME/ZenRRD/RenderServer.py to comment out all 5 security.declareProtected statements and recycle zenhub and zopectl.  I don't think this is a huge security relaxation for most folk as a completely unauthenticated user would get this level of access.

I have included a utility I found on the wiki (I think from cluther???) - copyDashboardState.py - that copies a model dashboard to other users - it's in the lib directory.

I have fixed the bug (ticket 7837) whereby if you delete a user Group that has Administered Objects configured, it didn't clean up the relationship to those Administered Objects and left your database in a corrupted state.

I have done some testing but I would appreciate other testers - development environments please!

Read the various READMEs in the pack and the comments oin __init__.py.

Please provide feedback!

Cheers,

Jane