Per domain user subscription and admin role
-
I'm not sure why this has been marked as solved. Aside from all the groups stuff I'd still really like to be able to make people admins for a specific domain.
Like, right now I'm working with @thetomester13 on selfhost.cloud stuff and whilst I've created a related group and given him access to relevant apps, I can't add him as an admin because then he'd have access to all my other stuff too.
But it'd be really handy if he were an admin for all selfhost.cloud stuff so he doesn't have to ask me to restart apps, increase memory for apps etc etc.
-
@jdaviescoates Maybe group admins would be easier to do.
-
I've asked for that a few times over the years: I would image a group-admin role for a user (who can have one or multiple domains). That group-admin can do all the stuff a regular admin can do, but only for the domains they're assigned to.
A second request was something like a user/app limit per domain (set by the superadmin), so that the group-admin and/or group-manager couldn't add more than 5/10/xx people/apps, so they don't trash the place and keep their resources in check.
This scenario would be for bigger servers that host multiple tenants which shouldn't see the stuff of the other users but can still operate independently.
-
Erm, separate Cloudron instances perhaps?
Web Design https://www.evergreen.je
Development https://brandlight.org
Life https://marcusquinn.com -
@marcusquinn yeah, that's probably what we'll end up doing. Just trying to bootstrap and avoid the cost of another VPS even though Hetzner are so affordable (I've got so many credits for referring people that the cost of another Cloudron sub isn't an issue right now, although of course often that'd be more than the VPS itself)
-
@jdaviescoates I guess depends on the cost-benefit and I don't know enough of your use-case. Personally, I'd more comfortable containing clients by VPS. Overall, it's still a lotta bang for bucks and no more than a Spotify subscription or similar.
I guess if you're doing front-line support you could try haggling for a volume discount on the Cloudron side and those little Hetzner VPSs are pretty mighty eh!
-
Cloudron is currently not designed for shared hosting style setups where "groups" of users can be totally isolated from one another. It's possible to make it like that, but I do think VM level isolation is the more modern and secure way of isolating organizations. If we are to do this, we have to re-think how all the features work in the context of shared setups.
-
@girish said in Per domain user subscription and admin role:
I do think VM level isolation is the more modern and secure way of isolating organizations
As @avatar1024 has also highlighted, there is very often the need to isolate different groups of people working on different projects within the same organisation.
Indeed, aside from very small totally horizontal worker co-ops where everyone had access to everything I can't really think of any examples of organisations where this wouldn't be a common need.
-
@jdaviescoates said in Per domain user subscription and admin role:
As @avatar1024 has also highlighted, there is very often the need to isolate different groups of people working on different projects within the same organisation.
I think I may have not understood the requirements then. Don't cloudron groups offer a way to isolate groups under same org? The original request was domain level isolation. Is that common?
-
@girish Yes you are right that the post started with different domains but this is because I had in mind the case of an organisation that uses separate domains for different activities, with different people being in charge of those different activities. While you are right that Cloudron does a fantastic job as isolating access to apps with the Group feature, as soon as if you give Admin right to someone, then they get full access to everything irrespectively of group / user access rules (which is of course kinda of the point of an admin!).
The issue is that in the case I mentioned, it would still be useful to give some people the ability to at least managed emails, users and apps for their particular domain / area of the organisation.
While this may not be a "common" case, I reckon it is not super rare either.That said, the thread though as kinda of evolved into looking at ways to fine tune the rights of the Admin role rights rather than a split per domain as it started original. Lots of ideas in there. Maybe another intermediate Admin role could be step in that direction to delegate some rights (like email management) to people which would be useful in large organisations (see my second post) without granting full admin rights ?
-
@avatar1024 I agree with breaking down admin role to be more granular. There is already a plan to make the admin "flag" to be per app in the next release. This is useful is you want a user to take control of a specific app (and the admin flag let's them restart/configure/view logs etc).
For a start, would making a role like "email manager" make sense? This user can operate on all the mail routes.
-
@girish having a email manager for a user would be allready great idea. So a user could control his own email adresses.
I totally on the other hand support the idea of a dimain admin, where users could control their apos and settinfs of the domain.
