I have made separate root / admin / user panels (Working!)

I have made separate root / admin / user dashboards !
everything that needed to be done to was changed inside the /usr/share/nethesis folder !

I believe that this is a much better way than the recent dashboard, the new situation is:

Login as root / rootpassword ( Complete dashboard, all options available )
Login as admin /adminpassword ( This dashboard contains less functions, (management + extra)
Login as user / userpassword ( Simple dashboard, Server Status, Change User Password )

Of course i would like to share this with the community, if there is some interests ?
For example i can post al changes to be made, and explain how to (easy) customize the admin Dashboard.
Where should i post it ?

For sure a lot more is possible and furter development from this point can make NethServer Asome!

I build servers for my customers (companies), already for more than 15 years using SME Server, these servers are mostly dedicated servers at customers location. I started shortly using NethServer as replacement and sell this as a Cloud Server, hosted in a Dutch Datacenter on a Professional QEMU network.
With the root/admin/user dashboard setup i made, NethServer is a perfect product, my customers can manage only what they need to manage using their admin (manager) login.

Still… When i update everyting will be removed and set to defaults.

Can you tell me, is it possible to prevent this from happening ?
For example overwrite (templating ?) the /usr/share/nethesis folder ?

For now it is a ‘custom mod’ to all my servers, i have to ‘custom mod’ each time
when i installed new updates…

It could be a new module for the software manager so it will be an option,
Or even better (When you al like it, and someone would double check for security),
my setup could be next NethServer 's default ?

Screenshots avialable if needed, working on demo server …

Greetings,

Bastiaan de Jonge
Xonline / Technorama LLP
The Netherlands

The good enhancement would be to display a panel of users and to select with a checkbox what you want to grant to this user.

It would be more useful if the administrator / superuser could create groups (with the inclusion of checkboxes for individual modules) and then assign users to these groups.

I Agree on that,

What i have done now is separate the root and the admin.
root is the server owner and can see everything on the dashboard.

I removed admin from the group 'domain admin’
admin is member of the group managers now, of course you can
add other users to the group managers like Administrator or whatever.

The panel we talk about must be for the users in the group managers only
We do not need a per user selection, Just one admin dashboard for this group.

Maybe another panel for everyone who is not root and not member of managers
this will be the dashboard for the users then. ( Restricted options here ).

I will continue development.

I need to get more familiar with the forum, and post my development…

Not sure if the admin is no more an administrator it is completely free. Need to be tested fully

I suppose that it works this way:

linux root has all privileges, but windows does not have a root user, it has an administator.
Thats why nethserver has an administrator too, it needs privileges for the AD DC connection.
the administrator can whenever you want or not have any rights depending on the group assigned to it.

So for a good working AD DC i think Administrator must be assigned to the group domain admin.
If this is true, administrator can login to nethserver and see the same dashboard as the root, wich is correct suppossing that the person who is administrator on windows is like a root user on a linux machine.

For the admin user on a linux machine always has less access than the root user, now the admin user is
assigned as manager and root privileges were removed from nethesis all is back to normal ( linux default ).
The admin user is a linux manager who does not need rights for AD DC ( and whenever you would like it does, just add it to the group ‘domain admin’ again.

So my changes are not permanent, only logical defaults.
I am writiing down my changes in a nice list and will make ik public soon…

Greetings
Bastiaan de Jonge

Separate root / admin / user dashboard

Please follow this procedure :

Create a new group called “managers”
edit the “admin@yourserver.xx” user and remove the group “domain admin” from this user
Now instead of above, add the group “managers” to this user.

Administrator on you windows server can’t be removed from the group ‘domain admin’ so the Administrator will have full rights on the NethServer ( Like root ).
So what we do here is create an ‘admin’ as user for the NethServer with limited dashboard options.
This allows you to rent the NethServer to your customer and let them have limited management.

Make sure the password of your “root” user is different than that from the admin / administrator
admin / administrator can be same password if you wish ( mostly assigned to the same person )

Change the following file:

//usr/share/nethesis/NethServer/Authorization/base.json

See Row 16 : “Subject”: [“root”, “admin”, “.groups HAS adm”],
Change to : "Subject": ["root", ".groups HAS adm"],

Edit the following file:
//usr/share/nethesis/NethServer/Template/Dashboard/SystemStatus.php
change this part ( first and last line are new )

if($view[‘username’] === ‘root’) {

$view->includeJavascript("

(function ( $ ) {
  function loadPage() {
        $.Nethgui.Server.ajaxMessage({
            isMutation: false,
            url: $module1Url
        });
  }
 $(document).ready(function() {
      loadPage();
  });
})( jQuery);
");

}

Edit : /usr/share/nethesis/NethServer/Module/Dashboard/SystemStatus.php

and replace the last 3 functions with the followin 4:

public function prepareView(\Nethgui\View\ViewInterface $view)
{
    parent::prepareView($view);
    $this->notifications->defineTemplate('adminTodo', \NethServer\Module\AdminTodo::TEMPLATE, 'bg-yellow');
	$view['username'] = $this->userName;
}

public function setUserNotifications(\Nethgui\Model\UserNotifications $n)
{
    $this->notifications = $n;
    return $this;
}

public function setUser(\Nethgui\Authorization\UserInterface $u)
{
    $this->user = $u;
    $this->userName = $u->getCredential('username');
    return $this;
}

public function getDependencySetters()
{
    return array('UserNotifications' => array($this, 'setUserNotifications'),
	'User' => array($this, 'setUser')  );
}

Now system messages are visible for the root user only ( the yellow messages bar in top of the GUI )

Next…

Take the following steps to create a new fresh empty dashboard that wil show up for all users / managers:

mv //usr/share/nethesis/NethServer/Module/UserDashboard/UserProfileRedirect.php //usr/share/nethesis/NethServer/Module/UserDashboard/UserProfileRedirect.old

Create a new file “UserDashboard.php” containing the following:
touch //usr/share/nethesis/NethServer/Module/UserDashboard/UserDashboard.php

Put this inside :

<?php
namespace NethServer\Module\UserDashboard;
class UserDashboard extends \Nethgui\Controller\AbstractController
{
public function prepareView(\Nethgui\View\ViewInterface $view)
{
$view->getCommandList()->sendQuery($view->getModuleUrl('/UserDashboard'));
}
} //end class

Create a new file:
touch //usr/share/nethesis/NethServer/Module/UserDashboard.php

<?php	
namespace NethServer\Module;
class UserDashboard extends \Nethgui\Controller\CompositeController
{
    public function initialize()
    {
        parent::initialize();
// Choose only one, multiple won't dispay.
          $this->addChild(new \NethServer\Module\Dashboard\SystemStatus\Resources());
//	  $this->addChild(new \NethServer\Module\UserDashboard\NewDashboard());
//	  $this->addChild(new \NethServer\Module\Dashboard\SystemStatus\Accounts());
//	  $this->addChild(new \NethServer\Module\Dashboard\SystemStatus\Backup());
//	  $this->addChild(new \NethServer\Module\Dashboard\SystemStatus\Mail());
//	  $this->addChild(new \NethServer\Module\Dashboard\SystemStatus\Network());
//	  $this->addChild(new \NethServer\Module\Dashboard\SystemStatus\Providers());
//	  $this->addChild(new \NethServer\Module\Dashboard\SystemStatus\RaidStatus());
//	  $this->addChild(new \NethServer\Module\Dashboard\SystemStatus\SystemRelease());
    }
}

Add this to base.json ( //usr/share/nethesis/NethServer/Authorization/base.json )

{
    "Id": 9999999998,
    "Effect": "ALLOW",
    "Subject": ".authenticated",
    "Action": "*",
    "Resource": "NethServer\\Module\\UserDashboard:*",
    "Description":
        "Authenticated users have full control on UserDashboard module"
}

Remove CPU Model From Hardware
(On QEMU it says “Standard PC i440fx”, it looks too cheap! and is not true).

//usr/share/nethesis/NethServer/Template/Dashboard/SystemStatus/Resources.php
Mark out row 31
// echo "<dt>".$T('product_name_label')."</dt><dd>"; echo $view->textLabel('product_name'); echo "</dd>";

Make sure you have installed what you need like OpenVPN, Samba Auditing

Now assign several items to the manager (admin user), so your customers system operator has access to the needed options.

You can use these on the command line …

sed -i – ‘s/‘Gateway’/‘Management’/g’ /usr/share/nethesis/NethServer/Module/VPN.php
sed -i – ‘s/‘Gateway’/‘Management’/g’ /usr/share/nethesis/NethServer/Module/VPN/OpenVPN.php

sed -i – ‘s/‘Configuration’/‘Management’/g’ /usr/share/nethesis/NethServer/Module/Pki.php
sed -i – ‘s/‘Configuration’/‘Management’/g’ /usr/share/nethesis/NethServer/Module/Organisation.php
sed -i – ‘s/‘Configuration’/‘Management’/g’ /usr/share/nethesis/NethServer/Module/DateTime.php
sed -i – ‘s/‘Configuration’/‘Management’/g’ /usr/share/nethesis/NethServer/Module/BackupData.php

sed -i – ‘s/‘Management’/‘Configuration’/g’ /usr/share/nethesis/NethServer/Module/MailAccount.php
sed -i – ‘s/‘Management’/‘Configuration’/g’ /usr/share/nethesis/NethServer/Module/VirtualHosts.php

sed -i – ‘s/‘Report’/‘Management’/g’ /usr/share/nethesis/NethServer/Module/SambaAudit.php

sed -i – ‘s/‘Status’/‘Management’/g’ /usr/share/nethesis/NethServer/Module/OpenVPNStatus.php
sed -i – ‘s/‘OpenVPNManagement’/‘OpenVPNStatus’/g’ /usr/share/nethesis/NethServer/Module/OpenVPNStatus.php
sed -i – ‘s/‘Report’/‘Management’/g’ /usr/share/nethesis/NethServer/Module/CGP.php

Ignore errors, it could be a file does not exist when you have not installed the module yet.
Optionally install your modules and again apply above lines then.

Now make a copy of /USR/SHARE/NETHESIS to a safe place, you must copy it back again after
every update since this setup is experimental at this stage !

Developers, please try and let me know how you think of this, it can be a good start and from this point
i think it is not difficult to create a menu on the root account to define the functions assigned to admins / users.
I’ll work on this later…

When you login to the web interface as ‘root’ you’ll see all menu items.
Below the panel that you see when you login as admin.

admin.png569×639 6.62 KB

Login as user and you will see:

user.png571×635 5.63 KB

This way the NethServer can be managed by a system operator from a datacenter (VPS works fine)
You can RENT it to a customer ( for example a small company ) and give their manager admin access.
The manager can create users, folders, groups and assign VPN access. a perfect setup !

I love that! Really! It’s a great piece of work!

Absolutely! Did you make some rpms? Or just some templates? Could you share more screenshots with us?

How many servers did you build? And how many servers are you managing now? Very curious.

That’s an interesting scenario. We never thought about NethServer in this way. Please share with us the process.
What a manager can and cannot do?

I just made modifications on a running development server, no rpms yet.
The plan is to work this further out to something nice, i need a bit more time so please be patient on this.

I have not exactly counted over the years but i build more than 50 SME Servers and i am still managing more than 30 of these at the moment, the most of these are dedicated ( at customers, companies offices ). I also manage about 3 Windows 2008, and 6 windows 2012 Servers for some companies. Most of these run on a VPS,

I Know about NethServer for just a few months now, and i realy like it, First because in runs on Centos and Second the parallels with SME Server. after my first install of NethServer i fell in love with it, at this moment i have the following NethServer running.
1x Development Server,
1x Test Server (VPS)
7x NethServer (VPS) Managing for customers ( They rent the VPS, Management and Support from me )

I plan to switch almost all of my SME Server customers to the cloud on NethServer, also i would like to put extra time in development ( from 24 aug '17 ) we got help from 3 students of the ROC Leiden ( Application development study ) The will be helping me for about 6 months, maybe they join our community as well.

I would like to make NethServer a better product voor VPS Cloud rental, what means it must have different levels of administration. As i mentioned before, we just need 3 levels in the following way.

root : The owner / master manager of the server ( You )
admin : The administrator at the office of your customer, he can add now employees etc…
user: The user-level, the can change their password, round-cube access, next-cloud, etc…

I’ll try to make something nice, and of course Share with the community.

Greetings,
Bastiaan de Jonge
Xonline / Technorama LLP

Sounds great! Yeah ask them join the community so we can work together
You’re making a great job man, keep it up

This is a short way to reach your goal
https://wiki.nethserver.org/doku.php?id=howto:useful_commands#allow_a_user_to_the_server-manager

Put your user…whatever you want in the ‘managers’ group and you are fine. Honestly I never liked that the ‘root’ administrator is called root. It is too easy to crack a password mainly if you know the name account. So I would prefer to get several manager accounts but none with the easy to find name ‘admin’.

The second remark I have, concern the user right to see the dashboard. I saw no interest, if they come here, I bet it is to change the password, so why don’t you display the password page ?

For everyone interested, i have updated te modifactions about a separate root/admin dashboard.
You can find it above this post, more is about to come …