Ack & Enable/Disable - Limiting REMOTE_USER access.

[s_aiello at comcast.net]

All,

I have had the need for limiting Apache authenticated users Ack & Maint access 
in Hobbit.  This email will outline the procedure that I have created to do 
this. I hope this may of be some help or usefulness to the community.

First I established two levels of access, global & limited. I limit user's 
access to devices by putting devices they need ack/Maint access to, on a 
dedicated page. They are then granted ack/Maint access to that dedicated 
page. Limited access users do not have access to the Administration --> 
Enable/disable Web GUI. They can only Maint devices via the device's info 
report. Global access is allowed to Ack any device & has access to the Admin 
Web GUI.

Access control is configured via a file I created, called 
server/etc/cgiauthext.cfg, and has the format:
Admin: .*
WebAdmin: web
netAdmin: (switches|routers)

The Admin user has global access. The WebAdmin user only has Ack & Maint 
access to any device on the /web page. The netAdmin user has Ack & Maint 
access to devices on the /switches and /routers page. All users; Admin, 
WebAdmin, & netAdmin need to have users with the same name created in 
hobbit's apache password file (server/etc/hobbitpasswd).

This limiting of access was done by modifying the cgi-secure/bb-ack.sh & 
cgi-secure/hobbit-enadis.sh wrappers. Basically I prepended some shell script 
logic to the wrapper script. The additions are provided in the 
hobbit-user_auth.txt attachment which is in the output of diff -u.

Disclaimer: I have no idea if these mods will work for you or your 
environment. These mods were created on a Linux platform. Please use at your 
own risk.

 ~Steve
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hobbit-user_auth.txt
Type: text/x-diff
Size: 3602 bytes
Desc: not available
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20070731/238412e7/attachment.diff>