Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Per domain user subscription and admin role

    Feature Requests
    10
    35
    1363
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • avatar1024
      avatar1024 last edited by avatar1024

      I'm sure something similar has been asked already but I couldn't find it on the forum.

      Would it be possible to add to following features of User & Groups in future version of Cloudron:

      • subscribe users to a specific domain (say with another drop down option for each users: default being "all" but with the possibility to select domains individually - as it is down for selecting group membership). Those users would then only be allowed to login on apps which are installed under that/those particular domain(s). Effectively this is no different that manually creating a group for each domain and then manually setting the correct access permission when installing apps, except that it would automate that process by creating those groups in the background for each domain and setting the correct rights automatically. Also it would be helpful for implementing the "3. per domain user management" aspect of the "domain admin" feature below

      • create a "domain admin" role to give some members admin rights but only on certain domains so that they can (and only can): 1. access all apps and email settings on a given domain(s); 2. an managed all of apps on that/those domain(s) 3. can see all users subscribed to that/those domain(s) and can invite new users to that/those domain(s). So as role we'd have: Owner, Admin (would automatically be administrates all domains), Domain Admin (which when selected would open the drop down menu to select domains without the "All" option), Users (which when selected would open the drop down menu to select domains, with default choice on the "All" option).

      It feels these two features would greatly enhance cloudron management for cases where you don't necessarily want to have admins able to administrate all domains (either for security reasons and for reducing admin time) but still want someone able to configure email accounts / lists, manage apps and invite people.

      Here is just some concepts and some ideas on how it could work on the UI side. Hope this proves useful.

      1 Reply Last reply Reply Quote 7
      • jdaviescoates
        jdaviescoates last edited by

        Yeah, I'd love this, as per my post back in July:

        Domain-based admin rights. I want to be able to give people all the rights of an Administrator, but only for specific domain names.

        @girish responded to that saying:

        I wanted to make a post about how we plan to implement this under the "service provider setups" feature. I will try to make a post about it early next week since we will need some input anyway before we implement the feature.

        And here says:

        Fix access control for service provider setups - There's a few small issues. Service providers wants admin flag per app, better control of SFTP user management and also to unify PHPMyAdmin across apps. We will see what we can do.

        @msbt asked:

        does this come with group- or domain-admins who can only install apps/add and edit users from their designated domains/groups?

        And @girish said:

        Not part of the multi-host but it's part of the "Fix access control for service provider setups"

        I don't think @girish ever got around to writing his post about "service provider setups" though...

        I use Cloudron with Gandi & Hetzner

        1 Reply Last reply Reply Quote 3
        • girish
          girish Staff last edited by

          The domain admin concept is clear, since it's quite popular in all the shared hosting concepts. However, Cloudron is not suited for shared hosting setups. It just wasn't designed from the ground up that way. You have to isolate users/groups etc to be per "org". Also, have to

          Instead, we designed each VM/Cloudron to be for an organizational entity (and not for multiple organizations to be on a single Cloudron).

          I also think business model wise, web hosters try to squeeze every bit of the hardware and overload a server massively with many orgs. This is not what we had in mind. Technically, we would make very different decisions if our goal was to have a server with 10 different organizations. (For example, shared nginx/apache servers etc would be better than our current docker based approach).

          In any case, the product has to change based on what customers want 🙂 So, if there is enough interest for this feature, let's see what we can do.

          avatar1024 1 Reply Last reply Reply Quote 5
          • avatar1024
            avatar1024 @girish last edited by avatar1024

            @girish Thanks for the reply and explanation Girish. I actually didn't imply I wanted a fully featured multi-organisation approach to Cloudron management, and even less if it implies major changes to Cloudron core design. I actually like that the current design is oriented to single user / organisation as it prevents centralisation.

            The use case I had in mind was mainly for a single organisation that has several domains and a fluctuating users base of about 200. By default all users have access to all apps (unless you configure manually as I mentioned in the post).
            The issue is that with users coming and going, you must make sure not to make mistakes with permissions and correctly isolate them from each domains by manually managing groups.
            The other issues is that these users make regular requests to create email list, email accounts, adding or removing users. So it'd be handy to be able to give more people admin rights just for these particular aspects and restricted to a specific domain.

            I thought what I had described was not a fully featured multi domains function for cloudron, but "just" (says someone who doesn't code) some additional domain management capabilities that could be implemented with functions that already exist in cloudron (namely with User Groups and different role levels). But I can imagine that when it comes down to doing, it becomes more complicated.

            nebulon 1 Reply Last reply Reply Quote 2
            • marcusquinn
              marcusquinn last edited by

              Maybe the solution is just to make all apps only visible by their creator with "Only visible to the following users and groups" being the default option selected, until Groups & Users are added.

              Then, it sounds like you could solve the multi-org issue just with your Groups naming convention, eg:

              • org1-admins
              • org2-admins
              • org-1-websites
              • org-2-websites
              • org1-accounts
              • org2-accounts

              etc. Does that work for what you describe?

              We're not here for a long time - but we are here for a good time :)
              Jersey/UK
              Work & Ecommerce Advice: https://brandlight.org
              Personal & Software Tips: https://marcusquinn.com

              jdaviescoates 1 Reply Last reply Reply Quote 1
              • jdaviescoates
                jdaviescoates @marcusquinn last edited by

                @marcusquinn it does, I think, but it'd be a lot quicker/ easier if you could just say (instead of defining per app) x group has access to all apps on x domain, y group has access to all apps on y domain.

                I use Cloudron with Gandi & Hetzner

                1 Reply Last reply Reply Quote 1
                • ruihildt
                  ruihildt last edited by

                  I also would welcome that feature. As you can see having loads of different apps, it would be great to have users that can only deal with their domain related features.

                  1 Reply Last reply Reply Quote 1
                  • nebulon
                    nebulon Staff @avatar1024 last edited by

                    @avatar1024 also as @marcusquinn suggested, I don't see why assigning new users to domains vs assigning them to groups is in any way more error prone. The only difference is that apps installed have to be setup with the correct groups.

                    jdaviescoates 1 Reply Last reply Reply Quote 0
                    • jdaviescoates
                      jdaviescoates @nebulon last edited by

                      @nebulon for me it isn't about error proneness, it's simply a matter of being able to quickly and easily create and apply domain-based groups.

                      i.e. right now it is perfectly possible to a create a group and call it somedomain.com and then to manually limit any app on that domain to that group, it just takes lots of steps.

                      I'd be great (i.e. much quicker and easier) to be able to just say "limited all apps on x domain to x group".

                      I use Cloudron with Gandi & Hetzner

                      1 Reply Last reply Reply Quote 1
                      • nebulon
                        nebulon Staff last edited by

                        I can see the benefit, but honestly I think it is quite the edge case especially since it is already possible just not as convenient. I doubt we will add this any time soon, there are lots more important features to work on at the moment 🙂

                        jdaviescoates 1 Reply Last reply Reply Quote 2
                        • jdaviescoates
                          jdaviescoates @nebulon last edited by

                          @nebulon fair enough. I imagine quite a few people would find this useful, but could be totally wrong and agree there are more important features to be worked on. Really looking forward to the 6.0 release! Volumes etc sound really great! 😄

                          I use Cloudron with Gandi & Hetzner

                          C 1 Reply Last reply Reply Quote 1
                          • C
                            cyberfreakde @jdaviescoates last edited by

                            @jdaviescoates Yep, this would be really useful. I have some friends who want to host their website on my site but I don't want to give them full admin roles.

                            jdaviescoates girish 2 Replies Last reply Reply Quote 1
                            • jdaviescoates
                              jdaviescoates @cyberfreakde last edited by

                              @cyberfreakde you can already do it using the existing groups and roles, you just have to remember to do it for each app

                              I use Cloudron with Gandi & Hetzner

                              robi 1 Reply Last reply Reply Quote 1
                              • girish
                                girish Staff @cyberfreakde last edited by

                                @cyberfreakde Right, as @jdaviescoates set, just create a "website" group with just the users and then set the group as the permission in the app's Access control view. The important thing to remember is that the "default" Access is accessible to all. So you have to go into each app and make sure it's not accessible to all. Another thing is that Cloudron "admin" always has access to all apps.

                                C 1 Reply Last reply Reply Quote 2
                                • C
                                  cyberfreakde @girish last edited by

                                  @girish How can I give them access to ftp without them being admin? Is it possible?

                                  girish 1 Reply Last reply Reply Quote 0
                                  • girish
                                    girish Staff @cyberfreakde last edited by

                                    @cyberfreakde Yes, in Cloudron 6, there is an option - https://docs.cloudron.io/apps/#non-admin-access . The SFTP access info is not displayed for normal users currently (which can be considered a bug). But they should be able to login with username@app.domain.com and their cloudron password (sftp port 222).

                                    C 1 Reply Last reply Reply Quote 3
                                    • C
                                      cyberfreakde @girish last edited by

                                      @girish Wow, Thanks! This is perfect. Somehow flew over it while reading the docs.

                                      1 Reply Last reply Reply Quote 1
                                      • robi
                                        robi @jdaviescoates last edited by

                                        @jdaviescoates @cyberfreakde
                                        you can also set up a WP instance with all the groups configured as you need them, then just clone it for new sites and drop in users as needed. Config once, clone many.

                                        Life of Advanced Technology

                                        C jdaviescoates 2 Replies Last reply Reply Quote 1
                                        • C
                                          cyberfreakde @robi last edited by

                                          @robi My friend wrote his own website so I have to use LAMP.

                                          1 Reply Last reply Reply Quote 0
                                          • jdaviescoates
                                            jdaviescoates @robi last edited by

                                            @robi thanks, but I can't really imagine when I'd want/ need loads of different WP sites with the same groups. The issue here it to be able to quickly add the same group to lots of different apps.

                                            I use Cloudron with Gandi & Hetzner

                                            robi 1 Reply Last reply Reply Quote 0
                                            • robi
                                              robi @jdaviescoates last edited by

                                              @jdaviescoates Yeah, for that we need a group dropdown to select all the different apps.

                                              Life of Advanced Technology

                                              jdaviescoates 1 Reply Last reply Reply Quote 0
                                              • jdaviescoates
                                                jdaviescoates @robi last edited by jdaviescoates

                                                I'm not sure why this has been marked as solved. Aside from all the groups stuff I'd still really like to be able to make people admins for a specific domain.

                                                Like, right now I'm working with @thetomester13 on selfhost.cloud stuff and whilst I've created a related group and given him access to relevant apps, I can't add him as an admin because then he'd have access to all my other stuff too.

                                                But it'd be really handy if he were an admin for all selfhost.cloud stuff so he doesn't have to ask me to restart apps, increase memory for apps etc etc.

                                                I use Cloudron with Gandi & Hetzner

                                                robi 1 Reply Last reply Reply Quote 4
                                                • robi
                                                  robi @jdaviescoates last edited by

                                                  @jdaviescoates Maybe group admins would be easier to do.

                                                  Life of Advanced Technology

                                                  M jdaviescoates 2 Replies Last reply Reply Quote 0
                                                  • M
                                                    msbt App Dev @robi last edited by msbt

                                                    I've asked for that a few times over the years: I would image a group-admin role for a user (who can have one or multiple domains). That group-admin can do all the stuff a regular admin can do, but only for the domains they're assigned to.

                                                    A second request was something like a user/app limit per domain (set by the superadmin), so that the group-admin and/or group-manager couldn't add more than 5/10/xx people/apps, so they don't trash the place and keep their resources in check.

                                                    This scenario would be for bigger servers that host multiple tenants which shouldn't see the stuff of the other users but can still operate independently.

                                                    1 Reply Last reply Reply Quote 1
                                                    • jdaviescoates
                                                      jdaviescoates @robi last edited by

                                                      @robi I don't mind how it's done, so long as I could make people admins for certain apps and not all of them

                                                      I use Cloudron with Gandi & Hetzner

                                                      1 Reply Last reply Reply Quote 0
                                                      • marcusquinn
                                                        marcusquinn last edited by

                                                        Erm, separate Cloudron instances perhaps?

                                                        We're not here for a long time - but we are here for a good time :)
                                                        Jersey/UK
                                                        Work & Ecommerce Advice: https://brandlight.org
                                                        Personal & Software Tips: https://marcusquinn.com

                                                        jdaviescoates 1 Reply Last reply Reply Quote 1
                                                        • jdaviescoates
                                                          jdaviescoates @marcusquinn last edited by

                                                          @marcusquinn yeah, that's probably what we'll end up doing. Just trying to bootstrap and avoid the cost of another VPS even though Hetzner are so affordable (I've got so many credits for referring people that the cost of another Cloudron sub isn't an issue right now, although of course often that'd be more than the VPS itself)

                                                          I use Cloudron with Gandi & Hetzner

                                                          marcusquinn 1 Reply Last reply Reply Quote 1
                                                          • marcusquinn
                                                            marcusquinn @jdaviescoates last edited by

                                                            @jdaviescoates I guess depends on the cost-benefit and I don't know enough of your use-case. Personally, I'd more comfortable containing clients by VPS. Overall, it's still a lotta bang for bucks and no more than a Spotify subscription or similar.

                                                            I guess if you're doing front-line support you could try haggling for a volume discount on the Cloudron side and those little Hetzner VPSs are pretty mighty eh!

                                                            We're not here for a long time - but we are here for a good time :)
                                                            Jersey/UK
                                                            Work & Ecommerce Advice: https://brandlight.org
                                                            Personal & Software Tips: https://marcusquinn.com

                                                            1 Reply Last reply Reply Quote 1
                                                            • girish
                                                              girish Staff last edited by

                                                              Cloudron is currently not designed for shared hosting style setups where "groups" of users can be totally isolated from one another. It's possible to make it like that, but I do think VM level isolation is the more modern and secure way of isolating organizations. If we are to do this, we have to re-think how all the features work in the context of shared setups.

                                                              jdaviescoates 1 Reply Last reply Reply Quote 0
                                                              • jdaviescoates
                                                                jdaviescoates @girish last edited by jdaviescoates

                                                                @girish said in Per domain user subscription and admin role:

                                                                I do think VM level isolation is the more modern and secure way of isolating organizations

                                                                As @avatar1024 has also highlighted, there is very often the need to isolate different groups of people working on different projects within the same organisation.

                                                                Indeed, aside from very small totally horizontal worker co-ops where everyone had access to everything I can't really think of any examples of organisations where this wouldn't be a common need.

                                                                I use Cloudron with Gandi & Hetzner

                                                                girish 1 Reply Last reply Reply Quote 0
                                                                • girish
                                                                  girish Staff @jdaviescoates last edited by

                                                                  @jdaviescoates said in Per domain user subscription and admin role:

                                                                  As @avatar1024 has also highlighted, there is very often the need to isolate different groups of people working on different projects within the same organisation.

                                                                  I think I may have not understood the requirements then. Don't cloudron groups offer a way to isolate groups under same org? The original request was domain level isolation. Is that common?

                                                                  robi avatar1024 2 Replies Last reply Reply Quote 0
                                                                  • robi
                                                                    robi @girish last edited by

                                                                    @girish Also per domain could be interpreted as including subdomains.

                                                                    Life of Advanced Technology

                                                                    1 Reply Last reply Reply Quote 0
                                                                    • avatar1024
                                                                      avatar1024 @girish last edited by avatar1024

                                                                      @girish Yes you are right that the post started with different domains but this is because I had in mind the case of an organisation that uses separate domains for different activities, with different people being in charge of those different activities. While you are right that Cloudron does a fantastic job as isolating access to apps with the Group feature, as soon as if you give Admin right to someone, then they get full access to everything irrespectively of group / user access rules (which is of course kinda of the point of an admin!).
                                                                      The issue is that in the case I mentioned, it would still be useful to give some people the ability to at least managed emails, users and apps for their particular domain / area of the organisation.
                                                                      While this may not be a "common" case, I reckon it is not super rare either.

                                                                      That said, the thread though as kinda of evolved into looking at ways to fine tune the rights of the Admin role rights rather than a split per domain as it started original. Lots of ideas in there. Maybe another intermediate Admin role could be step in that direction to delegate some rights (like email management) to people which would be useful in large organisations (see my second post) without granting full admin rights ?

                                                                      girish 1 Reply Last reply Reply Quote 4
                                                                      • girish
                                                                        girish Staff @avatar1024 last edited by girish

                                                                        @avatar1024 I agree with breaking down admin role to be more granular. There is already a plan to make the admin "flag" to be per app in the next release. This is useful is you want a user to take control of a specific app (and the admin flag let's them restart/configure/view logs etc).

                                                                        For a start, would making a role like "email manager" make sense? This user can operate on all the mail routes.

                                                                        kyzoe.be 1 Reply Last reply Reply Quote 5
                                                                        • kyzoe.be
                                                                          kyzoe.be @girish last edited by kyzoe.be

                                                                          @girish having a email manager for a user would be allready great idea. So a user could control his own email adresses.

                                                                          I totally on the other hand support the idea of a dimain admin, where users could control their apos and settinfs of the domain.

                                                                          1 Reply Last reply Reply Quote 2
                                                                          • First post
                                                                            Last post
                                                                          Powered by NodeBB