How to block using impersonate?

[KB7777]

Hello.

is it possible to prevent using impersonate from Nextcloud admin accounts?
We have sysadmins with all rights (system, storage, Nextcloud, etc.) and apps admins with Nextcloud admins rights. The apps admins shouldn't see any of users files...

Regards.

[ManOki]

Could you clarify the situation: "the app admins shouldn't see any of users files". so then don't grant them permission to use impersonate, e.g. having two groups sysadmin+appadmin and only sysadmin is allowed to use impersonate?

or do you want to prevent sysadmins to impersonate as appadmins?

[blizzz]

@KB7777 with 1.0.4 you can configure group memberships (Admin → Additional settings). The people who should be able to impersonate must be groupadmins within (and can only impersonate users in that group). Perhaps that's already sufficient?

[aproposnix]

I think a user should be notified when an admin impersonates them. This app presents a trust issue with hosted Nextcloud instances.

What's the point of E2E encryption when an admin can just open your account and go through your files?

[rullzer]

@aproposnix with E2E it doesn't matter because you can't open the files on the server. In other words the admin can impersonate you but without your mnemonic key they still can't access your E2E files.

[KB7777]

Sorry for the delayed respons...

@ManOki @blizzz
I want to prevent appadmins to impersonate any of the user from Nextcloud, but appadmins has to get all rights to manage the Nextcloud instance from web app (not only access to manage the users, but manage settings, apps, etc.).

Regards.

[blizzz]

@KB7777 places all persons who are allowed to impersonate into one group and configure this as according to #41 (comment)

[KB7777]

@blizzz
But my appadmins have to be in "admin" group as well to manage all Nextcloud instance.
So they could impersonate any of the user.

[blizzz]

@KB7777 nope, iirc, you can confiugre an "impersonator" group and assign the people accordingly.

[KB7777]

@blizzz

This is not working :)
If I place my appadmins to "impersonator" group only they can't edit setting of Nextcloud instance.
Thay have to be in "admin" group to be the admin of all settings.

[blizzz]

@KB7777 they can be in both admins and impersonators, but you need to limit impersonating to the impersonators group

[KB7777]

But the user from "admins" group can change his group and add himself to "impersonator" group.

[blizzz]

true, that's a dilemma. but since they are admin anyway, they basically can do anything.

[KB7777]

Well, it's all about that -- How to block using impersonate? :)
Maybe option at config.php?

[blizzz]

don't bother for admins, they'll always find a way. If you don't trust them, take away the admin role.

[KB7777]

But the my appadmins can't access to the OS.

[blizzz]

@KB7777 they could write a malicious app, put it to the app store and install it. Would give them at least permissions of the web user.

[KB7777]

So, there is no point to restrict my appadmins group, because they could do anything in Nextcloud instance anyway? Hm...
Maybe information to the user if admin using impersonate app is not wrong idea.

[blizzz]

It's being logged in the nextcloud.log so far. User information could be interesting, though i guess there are pro and cons against that. You may open a feature request, though up front: i won't have resources to work on it any time soon.