Cockpit delegation UI
Delegate access to specific panels to selected users.
https://github.com/NethServer/nethserver-cockpit/pull/49 https://github.com/NethServer/nethserver-cockpit/pull/48 https://github.com/NethServer/nethserver-cockpit/pull/47 https://github.com/NethServer/nethserver-cockpit/pull/38
Each system group can have a delegation profile which describes what pages can be accessed by the users inside the group. The configuration is accessible from the group modification forum inside the "Users" page, under the "System" section.
Only the root user can configure the profiles.
For each group the root user can select:
- zero, one or more pages under the "System" section
- zero, one or more installed applications
Special admin group
The group listed inside
config getprop admins group must have access to all pages.
Such group has only one limitation: it can't edit delegation profiles.
- When the system uses a remote Account Provider, the group page is accessible only in read-only mode, so there is no way to configure the delegation profiles
config getprop admins group must not display any select box because it's not editable. The groups should list all granted pages
The main menu should be changed accordingly to the user delegation profile, but this is quite hard to implement.
- create a manifest override for each user: every time there is a change in a group, the system should loop on each user home and change the menu accordingly to the profile
- do not hide main menu items, the user can access all listed pages but the page should display a "Permission denied" error if the user doesn't have the delegation for the page
Access to system section can be selectively granted to a group. Example: members of group 'backuppers' can have access to the "Backup" page but not to the "Certificates" one
An admin user, when accessing the "Settings" page, has access only to the "Change password" form. The user should have access to all available settings
Access to application can be granted for the full application. Example: members of group 'firewallers' can have access to the whole firewall application and can't be limited to specific pages like port forwards.
An applications which uses multi-level APIs (eg.
/usr/libexec/nethserver/api/nethserver-firewall-base/objects) are not accessible by delegated users.
Possible fix inside
Cmnd_Alias DOMAINADMINS = /usr/libexec/nethserver/api/*/*/*
remove link on dashboard if the user doesn't have the permission remove the reboot button if the user doesn't have the permission (visible only to admins)
- In the application menu, when you are a user you want to see all applications of cockpit and the older application of nethgui