How to allow a user in Nagios to view the status of some servers, but not disable/enable anything?

In /usr/local/nagios/etc/cgi.cfg (or wherever it lives on your system) define the read-only users:

# A comma-delimited list of usernames that have read-only rights in
# the CGIs.  This will block any service or host commands normally shown
# on the extinfo CGI pages.  It will also block comments from being shown
# to read-only users.

authorized_for_read_only=viewer

Of course, viewer must be first defined as contact with an appropriate htpasswd authentication. In the service/host detail page, the right hand side where you usually have commands will say:

Your account does not have permissions to execute commands.

If I understand your question correctly you would like to add users to nagios that can only see some of the servers and have no authority to do any of the administration tasks ( Start / Stop monitoring or alerting ).

To accomplish this you will need to add a user to the .htpasswd file for nagios and then create a contact in nagios with the contact_name matching the username set in .htpasswd and then add that contact only to the hosts which you want them to see. Remember that when you add things to the host configuration that are also defined in the template that it overrides the template instead of adding to it so you will need to also add back any contacts that host already has in the template.

For allowing a user view-only access only to some hosts in Nagios webview you have to implement following changes:

Note: Jump to 3. if you already have password protected authentication enabled:

1. Edit the cgi.cfg located in your nagios installation (e.g. /usr/local/nagios/etc) to enable password protected login:

   use_authentication=1
   

2. In the nagios.conf file in your Apache installation directory, verify that the following lines are included to point to the htpasswd.users file:

   AuthName "Nagios Access"
   AuthType Basic
   AuthUserFile /usr/local/nagios/etc/htpasswd.users
   Require valid-user
   

3. Add the user to the htpasswd.users file using the htpasswd command and the Apache HTTPD password manager. Location could vary depending on your system; a few common locations for it are /usr/bin and /usr/local/apache/bin:

   # htpasswd /usr/local/nagios/etc/htpasswd.users testuser01
   New password:
   Re-type new password:
   Adding password for user testuser01
   

4. Edit the cgi.cfg located in your nagios installation; uncomment authorized_for_read_only and add the username(s) for which you want to grant the access:

   authorized_for_read_only=testuser1
   

5. Create an entry for the user in objects/contacts.cfg from your nagios installation:

   define contact {
       contact_name                    testuser01
       use                             generic-contact
       alias                           Test User 01
       email                           [email protected]
   }
   

6. In the same objects/contacts.cfg define also a group that will hold the user and other future users that will need same access to same hosts - easier to manage when users are contain in groups:

   define contactgroup {
       contactgroup_name       view-only-host01
       alias                   View Only access to alarms for Host01
       members                 testuser01
   }
   

7. Take the contactgroup defined previously, view-only-host01, and in the .cfg of your host (e.g. objects/host01.cfg) add it to every service for which you want to grant the view only access:

   define service{
          service_description     Alarm for Test service - Metric 01
          check_command           webinject!test/test.xml
          servicegroups           availability
          contact_groups          admins,view-only-host01
   }
   

8. Restart nagios

In your cgi.cfg file, there are the following lines:

authorized_for_all_services=*

authorized_for_all_hosts=*

Normally these are configured as above, so all users can at least view all your hosts and services. So if you add your new user to your htpasswd file, they should get the desired behaviour by default.