ZendHQ Role Management
This guide explains how to create users and groups and assign permissions for the ZendHQ User Interface.
What is role management and why is it needed?
By default, ZendHQ ships with a token-based "admin" role. For many scenarios, using the admin account may be enough; if you trust all users of ZendHQ with administration tasks, no further user management is necessary. To log into the ZendHQ User Interface as admin, provide either the username admin or no username, and enter the token as password.
However, if you work with a larger team you may want to limit access to ZendHQ features based on different roles. ZendHQ versions 1.6.0 or higher let you define custom users and groups, and assign permissions to groups for each discrete feature of ZendHQ. At the highest level, you can assign each group permissions for each service, and these permissions define what operations are allowed for users in that group within that service. Based on the permissions a user inherits, parts of the ZendHQ GUI may not appear, or may have restricted functionality.
To define users, follow these steps:
-
Create groups.
- Assign permissions to groups.
-
Create users.
- Assign users to groups.
For more information, see zendhqctl access group and zendhqctl access user.
Permissions to View and Edit Monitoring Rules
To access the monitoring configuration, certain groups need access to the conf namespace. Add the following permissions:
- Give the "itops" group read-only permissions to the configuration:
zendhqctl access group set-permissions itops +r conf
- Give the "monitoring" group read-write permissions to the configuration.
zendhqctl access group set-permissions monitoring +rw conf
Create groups and assign permissions
The following list shows various examples of how to customize groups for your organization:
-
Create a read-only group named readonly.
zendhqctl access group add readonly --permissions r zray,mon,conf,ct,jq
-
Create a developer group named dev, with the following abilities:
- Use Z-Ray
- Read monitoring events and code traces
- View queues
- Suspend and resume queues
- Create jobs
zendhqctl access group add dev zendhqctl access group set-permissions +rw zray,jq zendhqctl access group set-permissions +r mon,conf,ct
-
Create an IT Ops group named itops with the following abilities:
- Cannot use Z-Ray
- Full rights to all other services
zendhqctl access group add itops --permissions +rwx mon,conf,ct,jq
- Create a full admin group named admin.
zendhqctl access group admin --permissions +rwx zray,mon,conf,ct,jq
For more information, see zendhqctl access group.
Create users and assign them to groups
To create users, follow these steps:
-
Create the user named some_user_name.
zendhqctl access user add some_user_name
-
Assign a password to the user.
zendhqctl access user password some_user_name
-
Add the user to one or more groups.
zendhqctl access user add-group some_user_name dev
-
Enable the user.
zendhqctl access user enable some_user_name
For more information, see zendhqctl access user.
Change user access to groups
To restrict access to ZendHQ features for a user, choose the most appropriate among the following options:
-
Remove the user named some_user_name from one or more groups.
zendhqctl access user some_user_name remove-group dev
-
Disable the user account.
zendhqctl access user disable some_user_name
-
Remove the user account.
zendhqctl access user remove some_user_name
For more information, see zendhqctl access user.
