

<pre>
__CrushFTP-specific terms used in this wiki, and related:__
;Groups: a logical way to organize user accounts, our term for an Organizational Unit equivalent. There is a separate __[wiki|Groups]__ on this
;Inheritance: a way to automatically apply user settings from one user to another. The term roots in object oriented programming. There is a separate __[wiki|Inheritance]__ on this
;Group Template account: inheritance parent or archtype account, that parents inheritance for a group of user accounts
;VFS Linking: loosely related to inheritance, a pointer to a VFS directory of another user account, there is a separate __[wiki|VFS]__ on this\\
----
\\
An administrator can can delegate administration allowing a limited administrator to create and manage users in their group, and assign folders that they themselves have access to. We'd call this administrator a __Restricted Admin__ account.\\
\\
First need to create a user __[Group|Groups]__ with the corresponding __Group Template__ account. This latter is to be assigned some top level __VFS__ directory under which the group member users will have their own working directories later on. The same VFS is to be granted to the Restricted Admin, these two settings together will confine both the admin and the group members under that directory, with no escalation possible.\\
\\
Then grant the admin on the __Setup Roles__ panel the __Remote User Only Administration (Limited)__ role permission, the __group name__ to administer, and eventually restrict the admin roles even further on the __Setup Permissions ( limited admin only)__ panel.\\ 
\\
%%tabbedSection 
%%tab-SetupRoles
tab [{Image src='admin_restricted_base.jpg' width='1440' height='..' align='left|center|right' style='..' class='..' }]
/%
%%tab-Groups
tab content 2
/%
%%tab-Permissions
tab content 2
/%
/%

\\
The user manager will only contain a list of users who are part of a group that matches their username exactly. So if test2 is a limited admin, there must be a group named &quot;test2&quot;. The test2 group should not have test2 as a member, or else test2 can edit himself.
At line 9 removed 6 lines
So if test3 is a limited admin, there must be a group named &quot;sub_admin&quot; in my example. The sub_admin group should not have test3 as a member, or else test3 can edit themselves.
There must also be a user named &quot;sub_admin&quot; which has a [VFS] with the folders you want the admin to be able to work with.
[attachments|limited_group.png]
At line 19 changed one line
2.) If the home folders being specified are not a sub folder of the home directory that the group user can access, the change is rejected.
2.) If the home folders being specified are not a sub folder of the home directory that the admin can access, the change is rejected.
At line 23 changed 8 lines
4.) Other admin escalation permissions are denied too.
These are done to enforce security and prevent privilege escalation. Any attempted violation of these is logged in the server log for audit purposes.
----
Finally the view from a limited admin when they login.
[attachments|limited_view.png]
These are done to enforce security and prevent privilege escalation.

</pre>