Control Access plugin


  • Developer

    Hi FOGers!!
    I need to develop a control access plugin and, although I have more or less the things clear in my head, I would like share my minds with you. I accept suggestions, corrections, …

    Feature:

    • Control the access to the icons, menus and submenus in the the webUI by rol.
    • Limit the searches and access to the resources (snapin, hosts, groups, tasks and images) of one or more locations.

    Necessities:

    • Create a new rol: restricted user

    This plugin has two levels of control:

    • Visual: Limit the access to the menus and submenus by rol user. The admin rol can access to all menus and submenus of the webUI and the restricted user only can access to the some menus and submenus (for example: Home, Hosts, Groups, Images, snapin, printer, tasks and logoff)
    • Searches: Limit the range of the search to the resources of one or more locations. The restricted user only can see the hosts, groups, images that are link or associated to his/her location/locations.

    This last level have a dependency with Location plugin.

    Dependencies:

    • Location plugin

    Well, hereinafter I accept suggestions, ideas …

    Christmas List:

    • Imaging techs assigned to Location A, may not touch or deploy any target host at Location B. Possibly read only access to Location B’s host records might be interesting.
    • Create different roles
    • Create different access rules

  • Moderator

    @Fernando-Gietz just got around to checking this, and yes all working with 1.4.0-RC-14


  • Developer

    Well , I find a little bug XD in the plugin. I have fixed it and in the new version will be fixed.

    BUG: When you try to install the plugin, the install process give an error and the installation doesn’t finish.

    Status: Bug fixed


  • Developer

    Hi falco,

    sorry for my late answer, I don’t see this message until now.

    With the new version of FOG 1.4.0-RC-12 I don’t have problems when I add a new rule.


  • Moderator

    @Fernando-Gietz said in Control Access plugin:

    pushbullet

    thanks for this, however when I try to click the ‘Add Rule’ button the page refreshes and goes to the fog dashboard page. And when I look at the rules it did not get added. any ideas?

    I am on 1.4.0 RC5


  • Developer

    It is easy :)
    AccessControl Plugin -> add new rule

    Rule Type: MAIN_MENU
    Parent: main
    Node: (empty)
    Rule Value: pushbullet

    After do this, you need associate this rule to the role.


  • Moderator

    This is great, thanks

    How can I hide the plugin Pushbullet Management?


  • Senior Developer

    Added the plugin to the plugins in the working branch.


  • Senior Developer

    @Wayne-Workman It hides the work, meaning the data isn’t even available to ‘enact’ upon. The element purely doesn’t display, so you can’t do anything with it.

    There could be ways around it of course, but that would always be the case.


  • Moderator

    @Fernando-Gietz Amazing work. Even if this only hides the elements and isn’t truly secure - this will put guardrails around accounts and allow Administrators to give access to lower tier employees. You’ve done great work here using what you had to work with.

    If we could integrate an optional MFA plugin (utilizing Google Authenticator) to protect the gates, this would be more safe. Because even if a lower tier employee has bad password habits & their credentials are compromised, MFA should prevent their FOG account from being compromised.


  • Developer

    Good news!!!
    I finished the beta version of Access Control Plugin.

    When you install the plugin, the installation will create two default roles: Administrator and Technician.

    0_1490348414613_ACP_CreatingDefaultRoles.png

    The installation process will create a big number of default rules (38).

    0_1490348501249_ACP_listDefaultRules.png

    Actually the rules have two types: MAIN_MENU and SUB_MENULINK. The first ones are the top tool bar icons, and the second ones are the lateral menus. In the second case, sub_menulink, if you don’t define the node value, the rule will apply to all pages (nodes). If you define the node, the rule will apply only to this node.

    From this page you can link a multiple rules to one role.
    And, finally, the installation process will associate the Administrator role to fog user.

    0_1490349004493_ACP_fogUserRole.png

    From the principal Access Control plugin page you can see the role list, add new role, list all rule and add new rule. In the role menu you can edit it, delete it, see the membership and see the rule that are associated to this role.

    Membership page:

    0_1490349290065_ACP_roleMembership.png

    Rule association:

    0_1490349316684_ACP_ruleAssociation.png

    In these last images we can see that the “user5” has the Technician role and this role have 7 rule associated (5 main menu and 2 sub_menulink)

    In this screenshot you can see the rules that are being applied for “user5”:

    0_1490349547911_ACP_mainRulesActive.png

    And in this one you can see that the sub_menulink rules (in the image page doesn’t appear the multicast and the list option) in action:

    0_1490349649707_ACP_subMenuRuleActive.png


  • Developer

    Thanks Wayne!!
    Actually I am having problems with the edit rule option and the logic is not developed yet, but the initial idea is not render the elements.


  • Moderator

    @Fernando-Gietz Great job. Does this hide elements or prevent them from being rendered, or do they really not have access to those things? A curl of the missing button would not work?


  • Developer

    Hi FOGers!!

    I attach some captures of this new plugin

    0_1489590921379_accesscontrolplugin_allusers_2.png
    When we list all users, appears the role that they have linked.

    We can link a role to one user from user edit page.

    0_1489591033848_accesscontrolplugin_user_edit_page2.png

    In the accesscontrol page we can list, edit and add new roles
    0_1489591119361_accesscontrolplugin_ACpage_2.png

    And create, list and edit rules

    0_1489591200071_accesscontrolplugin_page_rulelist_2.png

    Editing a rule …

    0_1489591252858_accesscontrolplugin_editrule_2.png


  • Developer

    @george1421 Yes, the idea is more or less that you say

    I will update the initial post to add one Christmas List :) I don’t know if I will can develop all of them but is important see the different necessities of the people and ideas.

    We have been thinking about the different roles of the users. It would be very interesting the possibility of define different roles and each rol with different rules.

    For example:
    we have the users table in the database, actually this table only define two roles or levels (the uType field {0,1}). With this we can separate the admin users from mobile users.
    I don’t want to change this, then from the plugin you could create different roles (admin rol, restrincted user rol, others …) in a new table and rules of access. I am dreaminggg!!! XD

    Well, I don’t know if is possible to know the structure of the webUI, the main menu icon, submenus … Is possible?


  • Moderator

    I think this access control plugin is surely needed for an enterprise environment.

    These are just ideas.
    From an enterprise level I need to assign imaging techs (people) to a single location, a group of locations, or all locations (super admin).

    Within that location(s) the imaging tech may image machines or deploy snapins. There could be a time where I might want to restrict an imaging tech to only be able to deploy applications and/or image a computer. If you are going to that detail then you might plan for allowing one or the other or both.

    Imaging techs assigned to Location A, may not touch or deploy any target host at Location B. Possibly read only access to Location B’s host records might be interesting.

    Imaging Techs may not alter any FOG System settings. FOG Admins may be allowed to alter FOG system settings. It may be useful to restrict certain FOG admins to certain sections of the FOG settings. Like host admin, but not storage admin, or group admin.

    As it stands today the LDAP Plugin supports 2 levels of users Admin, and mobile. Within those 2 groups the FOG ACLs can set more detailed controls on access, using a key and lock concept of access. A user can have many keys but those keys can only unlock one specific class of lock.


Log in to reply
 

Looks like your connection to FOG Project was lost, please wait while we try to reconnect.