Per domain user subscription and admin role
-
Maybe the solution is just to make all apps only visible by their creator with "Only visible to the following users and groups" being the default option selected, until Groups & Users are added.
Then, it sounds like you could solve the multi-org issue just with your Groups naming convention, eg:
- org1-admins
- org2-admins
- org-1-websites
- org-2-websites
- org1-accounts
- org2-accounts
etc. Does that work for what you describe?
Web Design https://www.evergreen.je
Development https://brandlight.org
Life https://marcusquinn.com -
Maybe the solution is just to make all apps only visible by their creator with "Only visible to the following users and groups" being the default option selected, until Groups & Users are added.
Then, it sounds like you could solve the multi-org issue just with your Groups naming convention, eg:
- org1-admins
- org2-admins
- org-1-websites
- org-2-websites
- org1-accounts
- org2-accounts
etc. Does that work for what you describe?
@marcusquinn it does, I think, but it'd be a lot quicker/ easier if you could just say (instead of defining per app) x group has access to all apps on x domain, y group has access to all apps on y domain.
-
@girish Thanks for the reply and explanation Girish. I actually didn't imply I wanted a fully featured multi-organisation approach to Cloudron management, and even less if it implies major changes to Cloudron core design. I actually like that the current design is oriented to single user / organisation as it prevents centralisation.
The use case I had in mind was mainly for a single organisation that has several domains and a fluctuating users base of about 200. By default all users have access to all apps (unless you configure manually as I mentioned in the post).
The issue is that with users coming and going, you must make sure not to make mistakes with permissions and correctly isolate them from each domains by manually managing groups.
The other issues is that these users make regular requests to create email list, email accounts, adding or removing users. So it'd be handy to be able to give more people admin rights just for these particular aspects and restricted to a specific domain.I thought what I had described was not a fully featured multi domains function for cloudron, but "just" (says someone who doesn't code) some additional domain management capabilities that could be implemented with functions that already exist in cloudron (namely with User Groups and different role levels). But I can imagine that when it comes down to doing, it becomes more complicated.
@avatar1024 also as @marcusquinn suggested, I don't see why assigning new users to domains vs assigning them to groups is in any way more error prone. The only difference is that apps installed have to be setup with the correct groups.
-
@avatar1024 also as @marcusquinn suggested, I don't see why assigning new users to domains vs assigning them to groups is in any way more error prone. The only difference is that apps installed have to be setup with the correct groups.
@nebulon for me it isn't about error proneness, it's simply a matter of being able to quickly and easily create and apply domain-based groups.
i.e. right now it is perfectly possible to a create a group and call it somedomain.com and then to manually limit any app on that domain to that group, it just takes lots of steps.
I'd be great (i.e. much quicker and easier) to be able to just say "limited all apps on x domain to x group".
-
-
I can see the benefit, but honestly I think it is quite the edge case especially since it is already possible just not as convenient. I doubt we will add this any time soon, there are lots more important features to work on at the moment
@nebulon fair enough. I imagine quite a few people would find this useful, but could be totally wrong and agree there are more important features to be worked on. Really looking forward to the 6.0 release! Volumes etc sound really great!
-
@nebulon fair enough. I imagine quite a few people would find this useful, but could be totally wrong and agree there are more important features to be worked on. Really looking forward to the 6.0 release! Volumes etc sound really great!
@jdaviescoates Yep, this would be really useful. I have some friends who want to host their website on my site but I don't want to give them full admin roles.
-
@jdaviescoates Yep, this would be really useful. I have some friends who want to host their website on my site but I don't want to give them full admin roles.
@cyberfreakde you can already do it using the existing groups and roles, you just have to remember to do it for each app
-
@jdaviescoates Yep, this would be really useful. I have some friends who want to host their website on my site but I don't want to give them full admin roles.
@cyberfreakde Right, as @jdaviescoates set, just create a "website" group with just the users and then set the group as the permission in the app's Access control view. The important thing to remember is that the "default" Access is accessible to all. So you have to go into each app and make sure it's not accessible to all. Another thing is that Cloudron "admin" always has access to all apps.
-
@cyberfreakde Right, as @jdaviescoates set, just create a "website" group with just the users and then set the group as the permission in the app's Access control view. The important thing to remember is that the "default" Access is accessible to all. So you have to go into each app and make sure it's not accessible to all. Another thing is that Cloudron "admin" always has access to all apps.
-
@girish How can I give them access to ftp without them being admin? Is it possible?
@cyberfreakde Yes, in Cloudron 6, there is an option - https://docs.cloudron.io/apps/#non-admin-access . The SFTP access info is not displayed for normal users currently (which can be considered a bug). But they should be able to login with
username@app.domain.comand their cloudron password (sftp port 222). -
@cyberfreakde Yes, in Cloudron 6, there is an option - https://docs.cloudron.io/apps/#non-admin-access . The SFTP access info is not displayed for normal users currently (which can be considered a bug). But they should be able to login with
username@app.domain.comand their cloudron password (sftp port 222).@girish Wow, Thanks! This is perfect. Somehow flew over it while reading the docs.
-
@cyberfreakde you can already do it using the existing groups and roles, you just have to remember to do it for each app
@jdaviescoates @cyberfreakde
you can also set up a WP instance with all the groups configured as you need them, then just clone it for new sites and drop in users as needed. Config once, clone many. -
@jdaviescoates @cyberfreakde
you can also set up a WP instance with all the groups configured as you need them, then just clone it for new sites and drop in users as needed. Config once, clone many.@robi My friend wrote his own website so I have to use LAMP.
-
@jdaviescoates @cyberfreakde
you can also set up a WP instance with all the groups configured as you need them, then just clone it for new sites and drop in users as needed. Config once, clone many. -
@robi thanks, but I can't really imagine when I'd want/ need loads of different WP sites with the same groups. The issue here it to be able to quickly add the same group to lots of different apps.
@jdaviescoates Yeah, for that we need a group dropdown to select all the different apps.
-
@jdaviescoates Yeah, for that we need a group dropdown to select all the different apps.
I'm not sure why this has been marked as solved. Aside from all the groups stuff I'd still really like to be able to make people admins for a specific domain.
Like, right now I'm working with @thetomester13 on selfhost.cloud stuff and whilst I've created a related group and given him access to relevant apps, I can't add him as an admin because then he'd have access to all my other stuff too.
But it'd be really handy if he were an admin for all selfhost.cloud stuff so he doesn't have to ask me to restart apps, increase memory for apps etc etc.
-
I'm not sure why this has been marked as solved. Aside from all the groups stuff I'd still really like to be able to make people admins for a specific domain.
Like, right now I'm working with @thetomester13 on selfhost.cloud stuff and whilst I've created a related group and given him access to relevant apps, I can't add him as an admin because then he'd have access to all my other stuff too.
But it'd be really handy if he were an admin for all selfhost.cloud stuff so he doesn't have to ask me to restart apps, increase memory for apps etc etc.
@jdaviescoates Maybe group admins would be easier to do.
-
@jdaviescoates Maybe group admins would be easier to do.
I've asked for that a few times over the years: I would image a group-admin role for a user (who can have one or multiple domains). That group-admin can do all the stuff a regular admin can do, but only for the domains they're assigned to.
A second request was something like a user/app limit per domain (set by the superadmin), so that the group-admin and/or group-manager couldn't add more than 5/10/xx people/apps, so they don't trash the place and keep their resources in check.
This scenario would be for bigger servers that host multiple tenants which shouldn't see the stuff of the other users but can still operate independently.
