Expected Behavior

A user should be able to create a host that would result in that host being included in a host group, without having to manually specify the group.

Currently, if a user in Director has host group restrictions, they are unable to create a host unless you manually specify a group the user has access to.

Current Behavior

If a user has a host group restriction in Director, and that host group is defined with an assign-where rule, a user can't create a host that would match that assign-where rule.

Possible Solution

Steps to Reproduce (for bugs)

Create a role with a host group filter - e.g.:

Restrictions:
director/​filter/​hostgroups = customer.org.au

Create a host group in Director with an assign rule - e.g.

object HostGroup "customer.org.au" {
    display_name = "Customer A"
    assign where host.zone in [ "customer.org.au" ]
}

Create a new host in zone customer.org.au.

When a user saves the host, the save errors with: Unable to store a host with the given properties because of insufficient permissions (IcingaHostForm.php:373).

However, if you then add the host to the customer.org.au host group manually, a user is able to save the host.

The host would be included in the customer.org.au host group, but because it has not been created yet, the rule is not applied, and therefore permission is denied.

Your Environment

• Director version (System - About): 1.11.1
• Icinga Web 2 version and modules (System - About): 2.12.1
• Icinga 2 version (icinga2 --version): 2.14.2
• Operating System and version:
• Webserver, PHP versions: 7.4.33

This seems similar to #1663 - but is a slightly different use case. I'm not sure if this is intended behaviour, but essentially a user cannot create a host that would end up being included in an apply rule they are allowed to access.

If this is intended behaviour, perhaps the message should be updated to inform the user that they need to specify a host group they are allowed to use.