ZendHQ role management

This guide explains how to create users and groups and assign permissions for the ZendHQ User Interface.

What is role management and why is it needed?

By default, ZendHQ ships with a token-based "admin" role. For many scenarios, using the admin account may be enough; if you trust all users of ZendHQ with administration tasks, no further user management is necessary. To log into the ZendHQ User Interface as admin, provide either the username admin or no username, and enter the token as password.

However, if you work with a larger team you may want to limit access to ZendHQ features based on different roles. ZendHQ versions 1.6.0 or higher let you define custom users and groups, and assign permissions to groups for each discrete feature of ZendHQ. At the highest level, you can assign each group permissions for each service, and these permissions define what operations are allowed for users in that group within that service. Based on the permissions a user inherits, parts of the ZendHQ GUI may not appear, or may have restricted functionality.

To define users, follow these steps:

  1. Create groups.

  2. Assign permissions to groups.

  3. Create users.

  4. Assign users to groups.

For more information, see zendhqctl access group and zendhqctl access user.

Permissions to view and edit monitoring rules

To access the monitoring configuration, certain groups need access to the conf namespace. Add the following permissions:

  1. Give the "itops" group read-only permissions to the configuration:

    Copy 
    zendhqctl access group set-permissions itops +r conf

  2. Give the "monitoring" group read-write permissions to the configuration.

    Copy 
    zendhqctl access group set-permissions monitoring +rw conf

Create groups and assign permissions

The following list shows various examples of how to customize groups for your organization:

  • Create a read-only group named readonly.

    Copy 
    zendhqctl access group add readonly --permissions r zray,mon,conf,ct,jq

  • Create a developer group named dev, with the following abilities:

    • Use Z-Ray
    • Read monitoring events and code traces
    • View queues
    • Suspend and resume queues
    • Create jobs
    Copy 
    zendhqctl access group add dev
    zendhqctl access group set-permissions +rw zray,jq
    zendhqctl access group set-permissions +r mon,conf,ct

  • Create an IT Ops group named itops with the following abilities:

    • Cannot use Z-Ray
    • Full rights to all other services
    Copy 
    zendhqctl access group add itops --permissions rwx mon,conf,ct,jq

  • Create a full admin group named admin.

    Copy 
    zendhqctl access group add admin --permissions rwx zray,mon,conf,ct,jq

For more information, see zendhqctl access group.

Create users and assign them to groups

To create users, follow these steps:

  1. Create the user named some_user_name.

    Copy 
    zendhqctl access user add some_user_name

  2. Assign a password to the user.

    Copy 
    zendhqctl access user password some_user_name

  3. Add the user to one or more groups.

    Copy 
    zendhqctl access user add-group some_user_name dev

  4. Enable the user.

    Copy 
    zendhqctl access user enable some_user_name

For more information, see zendhqctl access user.

Change user access to groups

To restrict access to ZendHQ features for a user, choose the most appropriate among the following options:

  • Remove the user named some_user_name from one or more groups.

    Copy 
    zendhqctl access user some_user_name remove-group dev

  • Disable the user account.

    Copy 
    zendhqctl access user disable some_user_name

  • Remove the user account.

    Copy 
    zendhqctl access user remove some_user_name

For more information, see zendhqctl access user.