Feature Request: Right to administrate users #1034
Comments
Cycl0pe
changed the title
Cycl0pe
changed the title
|
Hi @Cycl0pe - thanks for reaching out! I'm afraid that things like template sharing and other RBAC features aren't planned in Gophish right now. It's possible that we might add the ability to manage users later, but I'm afraid it isn't too high on the priority list since it's a huge change to the Gophish architecture. I'll keep this open for a bit until I get a chance to think more about this, but I'm afraid it will definitely be a while before we can get around to trying to tackle this. Thanks again for taking the time to reach out with your suggestion! |
|
What about the ability to just create another Administrative user without full on RBAC? Right now, we're planning on sharing the single built in admin account so that among us we can see all of the campaigns. This works, but it would be nice to be able to let people use different accounts. |
|
First, love the username . Do you mean separate accounts which can see templates etc from a different user? If so, I don’t think it would be a difficult change (and it’s something I’d like to look in to when I get a chance but have been pretty snowed under) but it would take a while to do as I believe there are checks for it all over. If all you’re after is unique accounts for people without sharing assets and results, that’s already available. |
|
Separate accounts that can see templates, campaigns, etc from other users. I'm not so interested in limiting what a user can do, just that they can see all of the campaigns, templates, etc we're working on/launching, and review the results. |
|
So just to clarify what I meant, in my quick look, changing this would involve at least a small change to the database to give roles to users, say 3 levels, read only, full control, full control + admin of other users, but then this might need to be more granual still so would need thinking about and planning. Then there would need to be logic to run different database queries based upon the user's rights level, as a first pass that would include these ones: https://github.com/gophish/gophish/search?utf8=%E2%9C%93&q=uid&type= and some of these: https://github.com/gophish/gophish/search?utf8=%E2%9C%93&q=user_id&type= (the context ones for the api at the very least). Then realistically, you'd want to change things so that at the very least it is visible who owns which template, sending profile, campaign etc (all that info is available, but that would be a bit of a UI change at least). Then you'd probably want a bit of an audit log as someone else could end up deleting my campaign or template, on purpose or by accident, and I may want to know who did that and when, so that would need creating. What about the facility to undo things? If someone can mistakenly delete a template that I spent 2 days on because it has a similar name to something they just created for a test, would I be happy with an "oops, my bad!", or would I want to be able to undo it? If I do it myself, then it is my own stupid fault for not checking, but if others have the ability to do it to my content, it becomes more of a failing of the tool if it can't be undone. So that would need creating - does deleting just become a flag on the database? When it it permanently deleted? So although some of the changes would be relatively easy, it brings a lot of challenges and complete reworking of some core inner workings of GoPhish, which is why it would be a pretty massive job, in my opinion. |
|
@S0larflare is (as always 😄) 100% correct here. It's not at all that this wouldn't be a good idea. Quite the opposite - RBAC is always a nice feature to have. Unfortunately, it's one of those things that's really hard to retrofit after the fact since we have to apply it across every endpoint, add testing, etc. I'm not saying that we won't pursue this, but with the development time required I can't see us being able to get to it anytime soon |
|
Going ahead and tagging in @wjwoodson since he's indicated interest in looking at RBAC. It might be worth using this issue to discuss what we might like to see in a (preferably very simple 😄) RBAC system. |
|
Hi all, for what it's worth you could simulate a degree of RBAC if SAML authentication were implemented. Basically how it would work is this: on the IdP you limit the users to a certain group or role or whatever, and then for all of the users with that role you have the IdP send the same username, that of the goPhish service account. |
|
@MarkJaroski, you can talk about it in here #1333 |
|
Closing this since I've added a first pass at a users API in 84096b8. This API allows users with the |
|
I was referred here when I went to ask for a feature to add permissions for users to see each other's campaigns, so I hope I am in the right place. I just want to "upvote" the idea of allowing non-admin viewers to see dashboards, and campaign results. Thanks very much for this excellent tool. |
Thanks for reaching out! We're happy to help resolve issues as quickly as possible.
What version of Gophish are you using?: V 0.5.0
Brief description of the feature: I don't think you can do it on this version but it will be nice to manage all the accounts created on the platform. The administrator will be able to delete users, manage access to some templates or groups for example. So the platform can be used by multiple persons.
Thanks a lot again for this amazing tool!
Cycl0pe
The text was updated successfully, but these errors were encountered: