View Attach (7) Info

Add new attachment

Only authorized users are allowed to upload new attachments.

List of attachments

Kind Attachment Name Size Version Date Modified Author Change note
jpg
 admin_restricted_base.jpg 523.6 kB 1 17-Oct-2023 20:03 Ada Csaba
jpg
 admin_restricted_permissions.j... 206.3 kB 1 17-Oct-2023 20:03 Ada Csaba
jpg
 admin_restricted_roles.jpg 338.8 kB 1 17-Oct-2023 20:03 Ada Csaba
jpg
 admin_restricted_view.jpg 176.4 kB 1 17-Oct-2023 21:45 Ada Csaba
png
 limited_admin.png 50.1 kB 3 29-Dec-2020 05:25 Ben Spink
png
 limited_group.png 45.5 kB 1 29-Dec-2020 05:25 Ben Spink
png
 limited_view.png 55.3 kB 1 29-Dec-2020 05:25 Ben Spink

This page (revision-40) was last changed on 18-Apr-2024 12:58 by Ada Csaba

This page was created on 29-Dec-2020 05:25 by Ben Spink

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Difference between version and

At line 2 changed 2 lines
;Groups: a logical way to organize user accounts, our term for an Organizational Unit equivalent, there is a separate __[wiki|Groups]__ on this
;Inheritance: a way to automatically apply user settings from one user to another. The term roots in object oriented programming, there is a separate __[wiki|Inheritance]__ on this
;Groups: a logical way to organize user accounts, our term for an Organizational Unit equivalent. There is a separate __[wiki|Groups]__ on this
;Inheritance: a way to automatically apply user settings from one user to another. The term roots in object oriented programming. There is a separate __[wiki|Inheritance]__ on this
At line 5 changed one line
;VFS Linking: loosely related to inheritance, a pointer to a VFS directory of another user account, there is a separate __[wiki|VFS]__ on this
;VFS Linking: loosely related to inheritance, a pointer to a VFS directory of another user account, there is a separate __[wiki|VFS]__ on this\\
----
At line 7 changed one line
You can delegate administration allowing a limited administrator to create and manage users in their group, and assign folders that they themselves have access to. Both the administrator account and the related group member accounts will be confined to a specific top level VFS directory, with the admin having full access on the directory and grant subfolders underneath to group member accounts. Nor the admin or the users can escalate their directory access level beyond that, we call this the __Group Root__ directory.\\
An administrator can can delegate administration allowing a limited administrator to create and manage users in their group, and assign folders that they themselves have access to. We'd call this administrator a __Restricted Admin__ account.\\
At line 9 changed 2 lines
[{Image src='admin_restricted_base.jpg' width='1440' height='..' align='left|center|right' style='..' class='..' }]
First need to create a user __[Group|Groups]__ with the corresponding __Group Template__ account. This latter is to be assigned some top level __VFS__ directory under which the group member users will have their own working directories later on. The same VFS is to be granted to the Restricted Admin, these two settings together will confine both the admin and the group members under that directory, with no escalation possible.\\
At line 12 added one line
Then grant the admin on the __Setup Roles__ panel the __Remote User Only Administration (Limited)__ role permission, the __group name__ to administer, and eventually restrict the admin roles even further on the __Setup Permissions ( limited admin only)__ panel.\\
At line 13 changed 22 lines
There are two different checkboxes. One for "Everything" and one for "Limited". If you enable the "Limited" checkbox, the user who logs in to do remote admin will only get the user manager interface.
The user manager will only contain a list of users who are part of a group that you granted this administrator access to.
So if test3 is a limited admin, there must be a group named "sub_admin" in my example. The sub_admin group should not have test3 as a member, or else test3 can edit themselves.
There must also be a user named "sub_admin" which has a [VFS] with the folders you want the admin to be able to work with.
[attachments|limited_group.png]
Security is enforced when the admin goes to save a change to a user. The server verifies any change the remote admin submits.
1.) If the user is not a member of the group, the change is rejected.
2.) If the home folders being specified are not a sub folder of the home directory that the group user can access, the change is rejected.
3.) If the change involves adding an event to a user that specifies a "plugin" action, the change is rejected.
4.) Other admin escalation permissions are denied too.
These are done to enforce security and prevent privilege escalation. Any attempted violation of these is logged in the server log for audit purposes.
%%tabbedSection
%%tab-Admin
tab [{Image src='admin_restricted_base.jpg' width='1440' height='..' align='left' style='..' class='..' }]
/%
%%tab-SetupRoles
[{Image src='admin_restricted_roles.jpg' width='..' height='640' align='left' style='..' class='..' }]
/%
%%tab-SetupPermissions(LimitedAdminOnly)
[{Image src='admin_restricted_permissions.jpg' width='..' height='640' align='left' style='..' class='..' }]
/%
/%
\\
In CrushFTP __v10__ we now support multiple groups for same admin. Each group has to have designated it's own Group Template account, and the VFS directories assigned to these need also to be granted to the Restricted Admin, or this latter to be pointed to an upper level directory.\\
\\
With the Restricted Admin scenario functional:\\
\\
1.) If the user is not a member of the group, the change is rejected.\\
2.) If the home folders being specified are not a sub folder of the home directory that the group user can access, the change is rejected.\\
3.) If the change involves adding an event to a user that specifies a "plugin" action, the change is rejected.\\
4.) Other admin escalation permissions are denied too.\\
These are done to enforce security and prevent privilege escalation. Any attempted violation of these is logged in the server log for audit purposes.\\
At line 36 changed 3 lines
Finally the view from a limited admin when they login.
[attachments|limited_view.png]
Finally the view from a limited admin when they login. Please note the group selector in top-center area.\\
\\
[{Image src='admin_restricted_view.jpg' width='1440' height='..' align='left|center|right' style='..' class='..' }]
\\
These are done to enforce security and prevent privilege escalation.\\
\\
Version Date Modified Size Author Changes ... Change note
40 18-Apr-2024 12:58 3.253 kB Ada Csaba to previous
39 18-Apr-2024 12:57 3.257 kB Ada Csaba to previous | to last
38 18-Apr-2024 12:57 3.245 kB Ada Csaba to previous | to last
37 18-Apr-2024 12:56 3.245 kB Ada Csaba to previous | to last
36 18-Apr-2024 12:55 3.237 kB Ada Csaba to previous | to last
35 18-Apr-2024 12:54 3.235 kB Ada Csaba to previous | to last
34 18-Apr-2024 12:53 3.241 kB Ada Csaba to previous | to last
33 18-Apr-2024 12:51 3.241 kB Ada Csaba to previous | to last
32 18-Apr-2024 12:51 3.245 kB Ada Csaba to previous | to last
31 17-Oct-2023 21:47 3.253 kB Ada Csaba to previous | to last
30 17-Oct-2023 21:47 3.255 kB Ada Csaba to previous | to last
29 17-Oct-2023 21:46 3.255 kB Ada Csaba to previous | to last
28 17-Oct-2023 21:43 3.184 kB Ada Csaba to previous | to last
27 17-Oct-2023 21:42 3.103 kB Ada Csaba to previous | to last
26 17-Oct-2023 21:32 3.395 kB Ada Csaba to previous | to last
25 17-Oct-2023 21:28 3.192 kB Ada Csaba to previous | to last
24 17-Oct-2023 21:27 3.086 kB Ada Csaba to previous | to last
23 17-Oct-2023 21:25 2.952 kB Ada Csaba to previous | to last
22 17-Oct-2023 21:21 2.674 kB Ada Csaba to previous | to last
21 17-Oct-2023 21:19 2.611 kB Ada Csaba to previous | to last
« This page (revision-40) was last changed on 18-Apr-2024 12:58 by Ada Csaba
G’day (anonymous guest)
CrushFTP10 | What's New

Referenced by
Import Users from other applications
LeftMenu
UserManagerAdmin
UserManagerAdminLimited

JSPWiki