Fine granular permissions and restrictions

[nilmerg]

With the upcoming changes of v1.0, Icinga Notifications Web will be more of an administration UI and is not supposed to be accessible for users who are not authorized to change its configuration. But also across administrators are various levels of responsibility and given the fact that source integrations are responsible to control a user's access to rule filter value suggestions and that extra tags will also be gone, it makes sense to allow fine granular permissions and restrictions for features and configuration items of Icinga Notifications.

The current permissions are as follows:

Permission	Description
notifications/config/schedules	Allow to configure schedules
notifications/config/event-rules	Allow to configure event rules
notifications/config/contacts	Allow to configure contacts and contact groups
notifications/view/contacts	Allow to view contacts of an incident
notifications/api	Allow to modify configuration via API

In addition to them, I'd like to see the following:

Permission	Description
notifications/view/incidents	Allow to view incidents

Restriction	Description
notifications/filter/schedules	Restrict access to schedules identified by ID (comma separated)
notifications/filter/rules	Restrict access to rules identified by ID (comma separated)
notifications/filter/contacts	Restrict access to contacts and contact groups that match the filter

notifications/filter/schedules

This should be configurable as part of a schedule and provide a list of roles as suggestions. As such it requires the permission config/access-control/roles. Upon save it is supposed to update Icinga Web's roles.ini and add/remove the schedule's ID accordingly.

Icinga Web's RoleForm will also show this. It should be adjusted to allow hooking into the handling of a particular restriction. Icinga Notifications Web should then use this to show a list of schedules with their name and auto-completion capability. No further permission check is required here, as users who are able to configure roles can be considered unrestricted.

Effects on Views

schedules

• Only matching schedules are accessible.

incidents

• Only notifications sent due to matching schedules are visible.

rules

• Only matching recipients of type schedule are visible.
  • Escalations that have no recipients due to this are not shown.
• Only matching recipients of type schedule can be chosen.

notifications/filter/rules

This should work very similar to notifications/filter/schedules. A list of roles is configurable as part of a rule's configuration and Icinga Notifications Web hooks into RoleForm as well.

Effects on Views

rules

• Only matching rules are accessible.

incidents

• Only triggered rules that match are listed.
• Only events triggered by matching rules are listed.

notifications/filter/contacts

This should be based on either contact.name, contact.username or contact_address.address, the latter allowing to express access to e.g. certain members of a given domain, in case an email address is configured.

Effects on Views

incidents

• Only matching subscribers are visible.
• Only notifications sent to matching subscribers are visible.

contacts

• Only matching contacts are listed.
• Only contact details of matching contacts are visible.

contact groups

• Only contact groups with matching contacts are listed.
• Only members which match are visible.
• Empty contact groups are not accessible.

rules

• Only matching recipients of type contact or contact group are visible.
  • Escalations that have no recipients due to this are not shown.
• Only matching recipient's of type contact or contact group can be chosen.

schedules

• Only matching contacts and contact groups are recognizable. (i.e. Everyone sees that there is someone part of a rotation, but not necessarily their identity.)
• Whether the identity is visible or not, a rotation member can be moved and removed.