RBAC functionality
-
It would be great if we had some sort of RBAC functionality built into fog, it doesn’t need to be anything complex. My use case is that I have central office IT staff that will have full access to fog, but I have computer technicians at schools that I only want to be able to image computers and not to have access to the web interface. Can this be done?
-
@The-Dealman Do you mean image machines directly from the PXE boot menu?
Have you had a look at the accesscontrol plugin yet?
-
@Sebastian-Roth Nope. I didn’t know one existed, where is this located?
-
@The-Dealman Enable the FOG Plugin system in web UI -> FOG Configuration -> FOG Settings -> Plugins -> Enable the plugin system. Then in the plugins area (new icon in the top menu after reloading the page) enable and install the accesscontrol plugin. If you search the forums, you can find a couple examples of it’s usage.
As yo have not answered my first question I am not exactly sure if this will match your needs. But give it a try, doesn’t hurt.
Which version of FOG do you use?
-
@Sebastian-Roth I’m using 1.5.5 of FOG on all servers.
-
@Sebastian-Roth I was able to locate this but it’s kinda hard to tell where you are when you drill down into the role and you want to modify rules. Once I jump into the rules I can’t tell if i’m looking at the rules for just the role I created or if it’s all the default rules for all the roles, it feels like it should be some sort of bread crumb trail on the UI to indicate where you are at the time. Also I deleted the printers from the access control rules main menu as a test and it still shows up at the top menu bar, we are suppose to delete the access control rules we don’t want to show up right?
-
@Fernando-Gietz would be the one to ask. He knows the plugin best!
-
@The-Dealman said in RBAC functionality:
It would be great if we had some sort of RBAC functionality built into fog, it doesn’t need to be anything complex. My use case is that I have central office IT staff that will have full access to fog, but I have computer technicians at schools that I only want to be able to image computers and not to have access to the web interface. Can this be done?
The AccessControl plugin limits the access to the icons in the WebUI. With this plugin you can define which icons do you want to see in the menu bar and submenus.
You can define roles and rules:
- The roles are group of person, is a 1:N relationship. One role can have N persons but one person can be only in one role.
- The rules define the restrictions, what icons and submenus are not showed by the webui. The rules are asigned to the roles and one rule can be asigned to one or more roles, and viceversa.
With this, you can limit the access to the technicians to, for example, dashboard (is mandatory, if you add this rule the webui crashs), hosts, groups, images, snapin, tasks and logout. The technicioans don’t have access to the FOG configuration menus or storage nodes.
If you use this AccessControl Plugin with Site plugin, you can restrinct the access to the computers. With Site plugin you can asign computers to one Site and assign user to one site or sites, in this way the plugin create a realtionship User -> Site -> Computer. From the User tab you can restrinct the access to one user only to the computers that are in his/her site or sites.
-
@The-Dealman said in RBAC functionality:
@Sebastian-Roth I was able to locate this but it’s kinda hard to tell where you are when you drill down into the role and you want to modify rules. Once I jump into the rules I can’t tell if i’m looking at the rules for just the role I created or if it’s all the default rules for all the roles, it feels like it should be some sort of bread crumb trail on the UI to indicate where you are at the time. Also I deleted the printers from the access control rules main menu as a test and it still shows up at the top menu bar, we are suppose to delete the access control rules we don’t want to show up right?
Sometimes occurs this XD, the problem in this case, I think but I am not very sure, is the order that the events run. One event “paint” the icon and another one “erase” it. The AccessControl plugin “erases” icons but if the “erase” event happens before the “paint” event, the icon appears in the webui XD. Try to add another rule and is probably that the icon desappears.
-
@Fernando-Gietz Okay i’ll give it a try and report back once i get to the office today.
-
@Fernando-Gietz Okay I got it working. You guys are awesome keep it up!