Control Access plugin

Fernando Gietz

Hi FOGers!!
I need to develop a control access plugin and, although I have more or less the things clear in my head, I would like share my minds with you. I accept suggestions, corrections, …

Feature:

• Control the access to the icons, menus and submenus in the the webUI by rol.
• Limit the searches and access to the resources (snapin, hosts, groups, tasks and images) of one or more locations.

Necessities:

• Create a new rol: restricted user

This plugin has two levels of control:

• Visual: Limit the access to the menus and submenus by rol user. The admin rol can access to all menus and submenus of the webUI and the restricted user only can access to the some menus and submenus (for example: Home, Hosts, Groups, Images, snapin, printer, tasks and logoff)
• Searches: Limit the range of the search to the resources of one or more locations. The restricted user only can see the hosts, groups, images that are link or associated to his/her location/locations.

This last level have a dependency with Location plugin.

Dependencies:

• Location plugin

Well, hereinafter I accept suggestions, ideas …

Christmas List:

• Imaging techs assigned to Location A, may not touch or deploy any target host at Location B. Possibly read only access to Location B’s host records might be interesting.
• Create different roles
• Create different access rules

george1421

I think this access control plugin is surely needed for an enterprise environment.

These are just ideas.
From an enterprise level I need to assign imaging techs (people) to a single location, a group of locations, or all locations (super admin).

Within that location(s) the imaging tech may image machines or deploy snapins. There could be a time where I might want to restrict an imaging tech to only be able to deploy applications and/or image a computer. If you are going to that detail then you might plan for allowing one or the other or both.

Imaging techs assigned to Location A, may not touch or deploy any target host at Location B. Possibly read only access to Location B’s host records might be interesting.

Imaging Techs may not alter any FOG System settings. FOG Admins may be allowed to alter FOG system settings. It may be useful to restrict certain FOG admins to certain sections of the FOG settings. Like host admin, but not storage admin, or group admin.

As it stands today the LDAP Plugin supports 2 levels of users Admin, and mobile. Within those 2 groups the FOG ACLs can set more detailed controls on access, using a key and lock concept of access. A user can have many keys but those keys can only unlock one specific class of lock.

Fernando Gietz

@george1421 Yes, the idea is more or less that you say

I will update the initial post to add one Christmas List I don’t know if I will can develop all of them but is important see the different necessities of the people and ideas.

We have been thinking about the different roles of the users. It would be very interesting the possibility of define different roles and each rol with different rules.

For example:
we have the users table in the database, actually this table only define two roles or levels (the uType field {0,1}). With this we can separate the admin users from mobile users.
I don’t want to change this, then from the plugin you could create different roles (admin rol, restrincted user rol, others …) in a new table and rules of access. I am dreaminggg!!! XD

Well, I don’t know if is possible to know the structure of the webUI, the main menu icon, submenus … Is possible?

Fernando Gietz

Hi FOGers!!

I attach some captures of this new plugin

When we list all users, appears the role that they have linked.

We can link a role to one user from user edit page.

In the accesscontrol page we can list, edit and add new roles

And create, list and edit rules

Editing a rule …

Wayne Workman

@Fernando-Gietz Great job. Does this hide elements or prevent them from being rendered, or do they really not have access to those things? A curl of the missing button would not work?

Fernando Gietz

Thanks Wayne!!
Actually I am having problems with the edit rule option and the logic is not developed yet, but the initial idea is not render the elements.

Fernando Gietz

Good news!!!
I finished the beta version of Access Control Plugin.

When you install the plugin, the installation will create two default roles: Administrator and Technician.

The installation process will create a big number of default rules (38).

Actually the rules have two types: MAIN_MENU and SUB_MENULINK. The first ones are the top tool bar icons, and the second ones are the lateral menus. In the second case, sub_menulink, if you don’t define the node value, the rule will apply to all pages (nodes). If you define the node, the rule will apply only to this node.

From this page you can link a multiple rules to one role.
And, finally, the installation process will associate the Administrator role to fog user.

From the principal Access Control plugin page you can see the role list, add new role, list all rule and add new rule. In the role menu you can edit it, delete it, see the membership and see the rule that are associated to this role.

Membership page:

Rule association:

In these last images we can see that the “user5” has the Technician role and this role have 7 rule associated (5 main menu and 2 sub_menulink)

In this screenshot you can see the rules that are being applied for “user5”:

And in this one you can see that the sub_menulink rules (in the image page doesn’t appear the multicast and the list option) in action:

Wayne Workman

@Fernando-Gietz Amazing work. Even if this only hides the elements and isn’t truly secure - this will put guardrails around accounts and allow Administrators to give access to lower tier employees. You’ve done great work here using what you had to work with.

If we could integrate an optional MFA plugin (utilizing Google Authenticator) to protect the gates, this would be more safe. Because even if a lower tier employee has bad password habits & their credentials are compromised, MFA should prevent their FOG account from being compromised.

Tom Elliott

@Wayne-Workman It hides the work, meaning the data isn’t even available to ‘enact’ upon. The element purely doesn’t display, so you can’t do anything with it.

There could be ways around it of course, but that would always be the case.

Tom Elliott

Added the plugin to the plugins in the working branch.

falko

This is great, thanks

How can I hide the plugin Pushbullet Management?

Fernando Gietz

It is easy
AccessControl Plugin -> add new rule

Rule Type: MAIN_MENU
Parent: main
Node: (empty)
Rule Value: pushbullet

After do this, you need associate this rule to the role.

falko

@Fernando-Gietz said in Control Access plugin:

pushbullet

thanks for this, however when I try to click the ‘Add Rule’ button the page refreshes and goes to the fog dashboard page. And when I look at the rules it did not get added. any ideas?

I am on 1.4.0 RC5

Fernando Gietz

Hi falco,

sorry for my late answer, I don’t see this message until now.

With the new version of FOG 1.4.0-RC-12 I don’t have problems when I add a new rule.

Fernando Gietz

Well , I find a little bug XD in the plugin. I have fixed it and in the new version will be fixed.

BUG: When you try to install the plugin, the install process give an error and the installation doesn’t finish.

Status: Bug fixed

falko

@Fernando-Gietz just got around to checking this, and yes all working with 1.4.0-RC-14

gjo

@fernando-gietz Hello,

I would like to know about the “Searches: Limit the range of the search to the resources of one or more locations. The restricted user only can see the hosts, groups, images that are link or associated to his/her location/locations.”

How is it possible to do it? In the Location plugin, we can only put informations about Storage.