• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    Control Access plugin

    Scheduled Pinned Locked Moved Solved
    General
    6
    17
    6.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      Fernando Gietz Developer
      last edited by Fernando Gietz

      Hi FOGers!!
      I need to develop a control access plugin and, although I have more or less the things clear in my head, I would like share my minds with you. I accept suggestions, corrections, …

      Feature:

      • Control the access to the icons, menus and submenus in the the webUI by rol.
      • Limit the searches and access to the resources (snapin, hosts, groups, tasks and images) of one or more locations.

      Necessities:

      • Create a new rol: restricted user

      This plugin has two levels of control:

      • Visual: Limit the access to the menus and submenus by rol user. The admin rol can access to all menus and submenus of the webUI and the restricted user only can access to the some menus and submenus (for example: Home, Hosts, Groups, Images, snapin, printer, tasks and logoff)
      • Searches: Limit the range of the search to the resources of one or more locations. The restricted user only can see the hosts, groups, images that are link or associated to his/her location/locations.

      This last level have a dependency with Location plugin.

      Dependencies:

      • Location plugin

      Well, hereinafter I accept suggestions, ideas …

      Christmas List:

      • Imaging techs assigned to Location A, may not touch or deploy any target host at Location B. Possibly read only access to Location B’s host records might be interesting.
      • Create different roles
      • Create different access rules
      G 1 Reply Last reply Reply Quote 2
      • george1421G
        george1421 Moderator
        last edited by

        I think this access control plugin is surely needed for an enterprise environment.

        These are just ideas.
        From an enterprise level I need to assign imaging techs (people) to a single location, a group of locations, or all locations (super admin).

        Within that location(s) the imaging tech may image machines or deploy snapins. There could be a time where I might want to restrict an imaging tech to only be able to deploy applications and/or image a computer. If you are going to that detail then you might plan for allowing one or the other or both.

        Imaging techs assigned to Location A, may not touch or deploy any target host at Location B. Possibly read only access to Location B’s host records might be interesting.

        Imaging Techs may not alter any FOG System settings. FOG Admins may be allowed to alter FOG system settings. It may be useful to restrict certain FOG admins to certain sections of the FOG settings. Like host admin, but not storage admin, or group admin.

        As it stands today the LDAP Plugin supports 2 levels of users Admin, and mobile. Within those 2 groups the FOG ACLs can set more detailed controls on access, using a key and lock concept of access. A user can have many keys but those keys can only unlock one specific class of lock.

        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

        F 1 Reply Last reply Reply Quote 2
        • F
          Fernando Gietz Developer @george1421
          last edited by

          @george1421 Yes, the idea is more or less that you say

          I will update the initial post to add one Christmas List 🙂 I don’t know if I will can develop all of them but is important see the different necessities of the people and ideas.

          We have been thinking about the different roles of the users. It would be very interesting the possibility of define different roles and each rol with different rules.

          For example:
          we have the users table in the database, actually this table only define two roles or levels (the uType field {0,1}). With this we can separate the admin users from mobile users.
          I don’t want to change this, then from the plugin you could create different roles (admin rol, restrincted user rol, others …) in a new table and rules of access. I am dreaminggg!!! XD

          Well, I don’t know if is possible to know the structure of the webUI, the main menu icon, submenus … Is possible?

          1 Reply Last reply Reply Quote 0
          • F
            Fernando Gietz Developer
            last edited by

            Hi FOGers!!

            I attach some captures of this new plugin

            0_1489590921379_accesscontrolplugin_allusers_2.png
            When we list all users, appears the role that they have linked.

            We can link a role to one user from user edit page.

            0_1489591033848_accesscontrolplugin_user_edit_page2.png

            In the accesscontrol page we can list, edit and add new roles
            0_1489591119361_accesscontrolplugin_ACpage_2.png

            And create, list and edit rules

            0_1489591200071_accesscontrolplugin_page_rulelist_2.png

            Editing a rule …

            0_1489591252858_accesscontrolplugin_editrule_2.png

            Wayne WorkmanW 1 Reply Last reply Reply Quote 2
            • Wayne WorkmanW
              Wayne Workman @Fernando Gietz
              last edited by

              @Fernando-Gietz Great job. Does this hide elements or prevent them from being rendered, or do they really not have access to those things? A curl of the missing button would not work?

              Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
              Daily Clean Installation Results:
              https://fogtesting.fogproject.us/
              FOG Reporting:
              https://fog-external-reporting-results.fogproject.us/

              1 Reply Last reply Reply Quote 0
              • F
                Fernando Gietz Developer
                last edited by

                Thanks Wayne!!
                Actually I am having problems with the edit rule option and the logic is not developed yet, but the initial idea is not render the elements.

                1 Reply Last reply Reply Quote 0
                • F
                  Fernando Gietz Developer
                  last edited by Fernando Gietz

                  Good news!!!
                  I finished the beta version of Access Control Plugin.

                  When you install the plugin, the installation will create two default roles: Administrator and Technician.

                  0_1490348414613_ACP_CreatingDefaultRoles.png

                  The installation process will create a big number of default rules (38).

                  0_1490348501249_ACP_listDefaultRules.png

                  Actually the rules have two types: MAIN_MENU and SUB_MENULINK. The first ones are the top tool bar icons, and the second ones are the lateral menus. In the second case, sub_menulink, if you don’t define the node value, the rule will apply to all pages (nodes). If you define the node, the rule will apply only to this node.

                  From this page you can link a multiple rules to one role.
                  And, finally, the installation process will associate the Administrator role to fog user.

                  0_1490349004493_ACP_fogUserRole.png

                  From the principal Access Control plugin page you can see the role list, add new role, list all rule and add new rule. In the role menu you can edit it, delete it, see the membership and see the rule that are associated to this role.

                  Membership page:

                  0_1490349290065_ACP_roleMembership.png

                  Rule association:

                  0_1490349316684_ACP_ruleAssociation.png

                  In these last images we can see that the “user5” has the Technician role and this role have 7 rule associated (5 main menu and 2 sub_menulink)

                  In this screenshot you can see the rules that are being applied for “user5”:

                  0_1490349547911_ACP_mainRulesActive.png

                  And in this one you can see that the sub_menulink rules (in the image page doesn’t appear the multicast and the list option) in action:

                  0_1490349649707_ACP_subMenuRuleActive.png

                  Wayne WorkmanW 1 Reply Last reply Reply Quote 1
                  • Wayne WorkmanW
                    Wayne Workman @Fernando Gietz
                    last edited by Wayne Workman

                    @Fernando-Gietz Amazing work. Even if this only hides the elements and isn’t truly secure - this will put guardrails around accounts and allow Administrators to give access to lower tier employees. You’ve done great work here using what you had to work with.

                    If we could integrate an optional MFA plugin (utilizing Google Authenticator) to protect the gates, this would be more safe. Because even if a lower tier employee has bad password habits & their credentials are compromised, MFA should prevent their FOG account from being compromised.

                    Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                    Daily Clean Installation Results:
                    https://fogtesting.fogproject.us/
                    FOG Reporting:
                    https://fog-external-reporting-results.fogproject.us/

                    Tom ElliottT 1 Reply Last reply Reply Quote 0
                    • Tom ElliottT
                      Tom Elliott @Wayne Workman
                      last edited by

                      @Wayne-Workman It hides the work, meaning the data isn’t even available to ‘enact’ upon. The element purely doesn’t display, so you can’t do anything with it.

                      There could be ways around it of course, but that would always be the case.

                      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                      Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                      Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                      1 Reply Last reply Reply Quote 0
                      • Tom ElliottT
                        Tom Elliott
                        last edited by

                        Added the plugin to the plugins in the working branch.

                        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                        Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                        Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                        1 Reply Last reply Reply Quote 2
                        • falkoF
                          falko Moderator
                          last edited by falko

                          This is great, thanks

                          How can I hide the plugin Pushbullet Management?

                          1 Reply Last reply Reply Quote 0
                          • F
                            Fernando Gietz Developer
                            last edited by Fernando Gietz

                            It is easy 🙂
                            AccessControl Plugin -> add new rule

                            Rule Type: MAIN_MENU
                            Parent: main
                            Node: (empty)
                            Rule Value: pushbullet

                            After do this, you need associate this rule to the role.

                            falkoF 1 Reply Last reply Reply Quote 1
                            • falkoF
                              falko Moderator @Fernando Gietz
                              last edited by

                              @Fernando-Gietz said in Control Access plugin:

                              pushbullet

                              thanks for this, however when I try to click the ‘Add Rule’ button the page refreshes and goes to the fog dashboard page. And when I look at the rules it did not get added. any ideas?

                              I am on 1.4.0 RC5

                              1 Reply Last reply Reply Quote 0
                              • F
                                Fernando Gietz Developer
                                last edited by

                                Hi falco,

                                sorry for my late answer, I don’t see this message until now.

                                With the new version of FOG 1.4.0-RC-12 I don’t have problems when I add a new rule.

                                falkoF 1 Reply Last reply Reply Quote 1
                                • F
                                  Fernando Gietz Developer
                                  last edited by

                                  Well , I find a little bug XD in the plugin. I have fixed it and in the new version will be fixed.

                                  BUG: When you try to install the plugin, the install process give an error and the installation doesn’t finish.

                                  Status: Bug fixed

                                  1 Reply Last reply Reply Quote 0
                                  • falkoF
                                    falko Moderator @Fernando Gietz
                                    last edited by

                                    @Fernando-Gietz just got around to checking this, and yes all working with 1.4.0-RC-14

                                    1 Reply Last reply Reply Quote 3
                                    • G
                                      gjo @Fernando Gietz
                                      last edited by

                                      @fernando-gietz Hello,

                                      I would like to know about the “Searches: Limit the range of the search to the resources of one or more locations. The restricted user only can see the hosts, groups, images that are link or associated to his/her location/locations.”

                                      How is it possible to do it? In the Location plugin, we can only put informations about Storage.

                                      1 Reply Last reply Reply Quote 0
                                      • 1 / 1
                                      • First post
                                        Last post

                                      208

                                      Online

                                      12.0k

                                      Users

                                      17.3k

                                      Topics

                                      155.2k

                                      Posts
                                      Copyright © 2012-2024 FOG Project