Nethserver-delegation needs testers

  • Dashboard is not accessible as it is redirected to UserProfile (NethServer default behaviour for unprivileged users)
  • User Profile panel is always accessible

What’s the expected delegation precedence for users and nested groups?

1 Like

this is an historic Issue from core @davidep what we can do for this.

Maybe an userspace page?
A small page interface that contains links to services for this user:
-webmail/Integrated suite (even Cloud service)
-WebRTC Asterisk
-OpenVPN cert/config download
-PW page change
-delegated panel access
-whatever?

3 Likes

I’m thinking to add the sudo access delegation for groups and users(all rights and specific commands)

1 Like

good idea, maybe a bit beyond the topic of this module

The use case is User wants to change his password, by accessing the Server Manager.

If no URL path is provided, Nethgui redirects to Dashboard. This is quite hardcoded. Then Dashboard decides what to do. If User is an admin the Dashoboard is shown, otherwise a redirect to UserProfile is returned.

The FirstConfigWiz module has a Login override mechanism. We could take advantage of it for UserProfile, too. :thinking:

However, what is the goal? Why an unprivileged user wants to see the Dashboard?

1 Like

Good question, I’m not following the scenario outlined above

Diagnostic, status evaluation (system load or space management), access to specific services for troubleshooting (VPN, Print server), service and access management (mail quotas, user and shares management).

Actually you have two ways to share privileges in the server-manager

  • be in the administrators group -> full privilege
  • be in the managers group -> privilege only on the management section (I’m not sure that the dashboard is visible)

It is either too much, or really not enough :slight_smile:

Others are thinking like me, see

I have made separate root / admin / user panels (Working!)

If you manage servers for your customers you probably want to restrict permissions, except if you love to hurt yourself and fix a lot of issues because several incompetents have all rights. You probably need to let a full access to certain, and just few management and configuration sections for others.

This is just an example but if you want to delegate an access to the server-manager, the dashboard is just another resource that you might want to share with the granted users !

Actually, I made like a code challenge for me to delegate per panel, it is maybe a need for some usages, but also we could think to delegate per section, it is easy, fast, efficient.

what do you think @dnutan

with all my respect @davidep the fact that a user cannot see the dashboard because it is hardcoded, is an issue for me.

Agree with @pike and @stephdl.
One could want to delegate access to dashboard and stats to monitor server status/resources to a user without giving her full access or admin privilege.

A small businesses may not be able to afford having a sysadmin at full time but might have a smart jack-of-all-trades person who can handle tasks like creating shared folders, user/mail accounts, managing quotas, and monitor the system on a daily basis and let more complicated tasks or planned maintenance to an external sysadmin.

A soho businesses may have an IT department composed by people with different skills (sysadmin, programmer, web developer…) or/and different work-hours. Some could have the need to configure a reverse proxy but don’t need access to users, backups, et cetera.

These are fictional examples.

I like this idea of a central control panel for users.

1 Like

Tested delegation to users (not groups) on NethServer 7 and didn’t find any issue.
UserProfile and Login delegation checkboxes have no observable effect, but that’s ok.

2 Likes

@stephdl, @pike, @dnutan

Thank you very much for your explanations, really appreciated!

Let’s see if we can change the default permissions. My proposal is

  1. Retain default pages: administrators have Dashboard as splash page, unprivileged users have UserProfile page.
  2. Unprivileged users have access to pages under the “Status” category, Dashboard included.

Is it fine for you?

This is not an userspace page.
@davidep, if you are a mail server manager, would you like to bring to mailbox users data about the available space on the mail server? Or the runtime?
My answer is “no”. Default user should access only to pw update page.

Please, consider this hypotetical case.
50-100 workers firm, external workers (salesforce? Technicians? remote workers? who knows :smiley: ), HR department, an IT guy/gal resident for helpdesk and day-to-day tasks with no experience about server management or Information system deployment. And you are the Sysadmin of nethserver.

Which is deployed as MailServer, Content filtering, VPN endpoint, file server, printer server.
HR should have access to User management page, for add and disable users, change password.
IT guy should have access to Printer management, backup management, users permissions management, VPN status/management, status of the server (dashboard included).
Other users should access to PW page, Mail/cloud suite.
External user should access PW page, Mail/cloud suite, OpenVPN download section.

And it would be nice change dashboard access to the various sections of a delegated panels if a new entry comes to HR, IT or other department, enabling the specific section to access and to interact-to.

It’s quite a wish, probably not an easy-to-outcome feature, i know.

3 Likes

This feature (user’s page) exists with SME Server, I agree like @dnutan that it could be a new (collaborative I hope) work. Maybe a draft on the wiki or here could be started on what it is needed.

Yes

like @pike I tend to think that it is too much…probably I just would to delegate the Application (in Status section) by default…or eventually, following the need of the sysadmin…nothing granted by default but available if needed.

1 Like

I found a bug myself yesterday

with the two radio buttons (same db property but with two values : enabled/disabled) once validated you cannot remove all the delegation easily…you need to set a delegation per panel and uncheck all selected panels

Agree.

No access unless delegated.

Uncheck panels one by one, that’s what I did. I would prefer a (de)select all approach instead of two radio buttons, but don’t know if such control is available in the nethgui framework.

At the users/groups list there’s no indicator of delegation status (to quickly grasp whether the default policy, full delegation, or custom delegation has been assigned). You have to open each item to remember which ones had some delegation.

@sebastian implemented one by JS

4 Likes

super…is it possible to get it incorporated in nethgui with the ‘SELECTOR_MULTIPLE’.

For now I tested it, work nicely

2 Likes

@dnutan I kept your Idea

if the sudo textarea is empty then it is a full sudo access, else you need to write down each allowed bash command (a verification is done to see if the command is executable by ‘is_executable’, can be done also by file_exists)

In my opinion “Delegate all panels” and “Delegation per panel” columns are redundant (if “delegate all” is enabled the other cannot be, and the inverse case).

I wasn’t getting your point on keeping the “Delegate all panels” radio button. Now I realize it makes sense if someone wants to delegate all panels (*) including the ones installed by new modules (that are not listed at the time of assigning delegations). If this is desired we shall remember to document it once design and functionality is sorted out.

PS: Have not tested if this is the current behaviour.