Icinga2 role permissions, filters

I have Icinga2 and Icingaweb2 set up for monitoring hosts and services for myself, but I wanted to expand on my current configuration and let web developers manage monitoring for their assets (development and staging hosts and web servers).

webdev is the name of one of my host groups, defined in my /etc/icinga2/conf.d/groups.conf file:

object HostGroup "webdev" {
  display_name = "Web Development Hosts"

The hosts I want developers to be able to monitor are members of the webdev host group.

First I created a new role in the web interface under Configuration — Authentication — Roles:

Role Name:
webdev [this is the name of a group on my LDAP server]
Permission Set:
Allow everything (*)

This created the role without any errors. However, when I logged in as a member of the webdev group, I received the following error message:

Service Problems
Cannot apply restriction monitoring/filter/objects using the filter webdev. You can only use the following columns: instance_name, host_name, hostgroup_name, service_description, servicegroup_name, _(host|service)_<customvar-name>

I needed to specify a key-value pair for the monitoring/filter/objects:


You can include multiple host groups by including a logical OR:


Once I confirmed that worked, I further restricted the Permission Set to a more limited set of options:

  • Allow access to module monitoring (module/monitoring)
  • Allow all commands (monitoring/command/*)

A user in the webdev role now has access to everything I expected except contacts (Overview — Contacts). The Contacts page produces a long and unfriendly error message that begins with:

SQLSTATE[42S22]: Column not found: 1054 Unknown column 'ho.object_id' in 'on clause'

That’s a known bug, and currently an issue filed on the icingaweb2 GitHub repository: Non-admin overview Contact gives SQL error

Leave a Reply

Your email address will not be published. Required fields are marked *