Description:
Request for adding multi-tenancy support to restrict which servers a user can access. This request is made from:

- companies to limit visibility to a user's departmental or other work group servers
- ISPs wanting to install a single instance of Monitor but (obviously) restrict access per user

How to repeat:
see description

Suggested fix:
Ideally provide mechanism to set access privileges at server and/or server group level. Use cases:

- user U can access server S
- user U can access server group G

- By giving access to All Servers, user would be authorized to access any new server that showed up after User was created

Default should probably grant no access rights unless explicitly stated.

You may also want to limit which rights are grants on some of the screens.
- The query analysis pages potentially show confidentical information
- it may not be wanted to show other host configuration information
- you may want to simply limit the page(s) that are visible to the user.

One use I see is a global read-only user for monitoring "server status". this usage is very handy but if it's global then it probably needs to have more limited rights than those available at the moment.

Found Bug#28247 which is a duplicate of this. Marked the old one as a duplicate, as this has slightly more info in it.

Adding this comment from Sheeri's request (#45437, marked as duplicate:

[10 Jun 20:35] Sheeri Cabral <awfief@gmail.com>

Description:
Currently, the MySQL Enterprise Monitor has the ability to have multiple
user accounts, in 3 roles:  Administrator, Agent and DBA.

However, all DBAs have access to all the information for all the
configured databases in the monitor.  We would like to be able to
segregate which servers a user can see -- there are already server
groups and notification groups, so setting up permission groups such as
"this user can only see these servers/server groups" shouldn't be too
difficult -- not all DBAs are responsible for all servers.

)

bug #34238 was marked as duplicate of this, because it will be covered.
bug #23508 requests just "read-only" category of users, so it is simpler and may be implemented earlier.

Gary Whizin writes: 
See related issue http://bugs.mysql.com/23508

This feature should also allow users to only be able to access a certain tab.  For instance, say you only want a certain user to be able to see the QUAN tab.  And within that, limit which servers/groups/schemas/tables any given login can access.

Bug#53542 was marked as a duplicate of this one.

As Mark Leith noted in bug #53542 (http://bugs.mysql.com/bug.php?id=53542) there is a new read-only profile that does not allow access to QUAN data by default. 

This is a request to make that default configurable (either as a role or for the entire instance). This would enable the MEM administrator to set the option once and have all new read-only users granted access to QUAN data and information.

Indeed it doesn't make it much harder to later add other rights for each "user group" such as to each of the tabs and then define which rights each group have.

I understand you may want to go slowly with this but more flexibility is certainly important as the number of dashboard users grows. I'm certainly in that situation and it would be helpful if we could tie down permissions to certain groups of servers, such as giving pretty full access to view everything to our developers to the development db servers, but perhaps more restricted access to different production groups.

Bug#58293 was marked as a duplicate of this one.