Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.

Per domain user subscription and admin role

  • I'm sure something similar has been asked already but I couldn't find it on the forum.

    Would it be possible to add to following features of User & Groups in future version of Cloudron:

    • subscribe users to a specific domain (say with another drop down option for each users: default being "all" but with the possibility to select domains individually - as it is down for selecting group membership). Those users would then only be allowed to login on apps which are installed under that/those particular domain(s). Effectively this is no different that manually creating a group for each domain and then manually setting the correct access permission when installing apps, except that it would automate that process by creating those groups in the background for each domain and setting the correct rights automatically. Also it would be helpful for implementing the "3. per domain user management" aspect of the "domain admin" feature below

    • create a "domain admin" role to give some members admin rights but only on certain domains so that they can (and only can): 1. access all apps and email settings on a given domain(s); 2. an managed all of apps on that/those domain(s) 3. can see all users subscribed to that/those domain(s) and can invite new users to that/those domain(s). So as role we'd have: Owner, Admin (would automatically be administrates all domains), Domain Admin (which when selected would open the drop down menu to select domains without the "All" option), Users (which when selected would open the drop down menu to select domains, with default choice on the "All" option).

    It feels these two features would greatly enhance cloudron management for cases where you don't necessarily want to have admins able to administrate all domains (either for security reasons and for reducing admin time) but still want someone able to configure email accounts / lists, manage apps and invite people.

    Here is just some concepts and some ideas on how it could work on the UI side. Hope this proves useful.

  • Yeah, I'd love this, as per my post back in July:

    Domain-based admin rights. I want to be able to give people all the rights of an Administrator, but only for specific domain names.

    @girish responded to that saying:

    I wanted to make a post about how we plan to implement this under the "service provider setups" feature. I will try to make a post about it early next week since we will need some input anyway before we implement the feature.

    And here says:

    Fix access control for service provider setups - There's a few small issues. Service providers wants admin flag per app, better control of SFTP user management and also to unify PHPMyAdmin across apps. We will see what we can do.

    @msbt asked:

    does this come with group- or domain-admins who can only install apps/add and edit users from their designated domains/groups?

    And @girish said:

    Not part of the multi-host but it's part of the "Fix access control for service provider setups"

    I don't think @girish ever got around to writing his post about "service provider setups" though...

  • Staff

    This post is deleted!
  • Staff

    The domain admin concept is clear, since it's quite popular in all the shared hosting concepts. However, Cloudron is not suited for shared hosting setups. It just wasn't designed from the ground up that way. You have to isolate users/groups etc to be per "org". Also, have to

    Instead, we designed each VM/Cloudron to be for an organizational entity (and not for multiple organizations to be on a single Cloudron).

    I also think business model wise, web hosters try to squeeze every bit of the hardware and overload a server massively with many orgs. This is not what we had in mind. Technically, we would make very different decisions if our goal was to have a server with 10 different organizations. (For example, shared nginx/apache servers etc would be better than our current docker based approach).

    In any case, the product has to change based on what customers want 🙂 So, if there is enough interest for this feature, let's see what we can do.

  • @girish Thanks for the reply and explanation Girish. I actually didn't imply I wanted a fully featured multi-organisation approach to Cloudron management, and even less if it implies major changes to Cloudron core design. I actually like that the current design is oriented to single user / organisation as it prevents centralisation.

    The use case I had in mind was mainly for a single organisation that has several domains and a fluctuating users base of about 200. By default all users have access to all apps (unless you configure manually as I mentioned in the post).
    The issue is that with users coming and going, you must make sure not to make mistakes with permissions and correctly isolate them from each domains by manually managing groups.
    The other issues is that these users make regular requests to create email list, email accounts, adding or removing users. So it'd be handy to be able to give more people admin rights just for these particular aspects and restricted to a specific domain.

    I thought what I had described was not a fully featured multi domains function for cloudron, but "just" (says someone who doesn't code) some additional domain management capabilities that could be implemented with functions that already exist in cloudron (namely with User Groups and different role levels). But I can imagine that when it comes down to doing, it becomes more complicated.

  • Maybe the solution is just to make all apps only visible by their creator with "Only visible to the following users and groups" being the default option selected, until Groups & Users are added.

    Then, it sounds like you could solve the multi-org issue just with your Groups naming convention, eg:

    • org1-admins
    • org2-admins
    • org-1-websites
    • org-2-websites
    • org1-accounts
    • org2-accounts

    etc. Does that work for what you describe?

  • @marcusquinn it does, I think, but it'd be a lot quicker/ easier if you could just say (instead of defining per app) x group has access to all apps on x domain, y group has access to all apps on y domain.

  • I also would welcome that feature. As you can see having loads of different apps, it would be great to have users that can only deal with their domain related features.

  • Staff

    @avatar1024 also as @marcusquinn suggested, I don't see why assigning new users to domains vs assigning them to groups is in any way more error prone. The only difference is that apps installed have to be setup with the correct groups.

  • @nebulon for me it isn't about error proneness, it's simply a matter of being able to quickly and easily create and apply domain-based groups.

    i.e. right now it is perfectly possible to a create a group and call it and then to manually limit any app on that domain to that group, it just takes lots of steps.

    I'd be great (i.e. much quicker and easier) to be able to just say "limited all apps on x domain to x group".

  • Staff

    I can see the benefit, but honestly I think it is quite the edge case especially since it is already possible just not as convenient. I doubt we will add this any time soon, there are lots more important features to work on at the moment 🙂

  • @nebulon fair enough. I imagine quite a few people would find this useful, but could be totally wrong and agree there are more important features to be worked on. Really looking forward to the 6.0 release! Volumes etc sound really great! 😄