Per domain user subscription and admin role
-
@cyberfreakde Right, as @jdaviescoates set, just create a "website" group with just the users and then set the group as the permission in the app's Access control view. The important thing to remember is that the "default" Access is accessible to all. So you have to go into each app and make sure it's not accessible to all. Another thing is that Cloudron "admin" always has access to all apps.
-
@girish How can I give them access to ftp without them being admin? Is it possible?
-
@cyberfreakde Yes, in Cloudron 6, there is an option - https://docs.cloudron.io/apps/#non-admin-access . The SFTP access info is not displayed for normal users currently (which can be considered a bug). But they should be able to login with
username@app.domain.comand their cloudron password (sftp port 222). -
@jdaviescoates @cyberfreakde
you can also set up a WP instance with all the groups configured as you need them, then just clone it for new sites and drop in users as needed. Config once, clone many. -
@robi thanks, but I can't really imagine when I'd want/ need loads of different WP sites with the same groups. The issue here it to be able to quickly add the same group to lots of different apps.
-
@jdaviescoates Yeah, for that we need a group dropdown to select all the different apps.
-
I'm not sure why this has been marked as solved. Aside from all the groups stuff I'd still really like to be able to make people admins for a specific domain.
Like, right now I'm working with @thetomester13 on selfhost.cloud stuff and whilst I've created a related group and given him access to relevant apps, I can't add him as an admin because then he'd have access to all my other stuff too.
But it'd be really handy if he were an admin for all selfhost.cloud stuff so he doesn't have to ask me to restart apps, increase memory for apps etc etc.
-
@jdaviescoates Maybe group admins would be easier to do.
-
I've asked for that a few times over the years: I would image a group-admin role for a user (who can have one or multiple domains). That group-admin can do all the stuff a regular admin can do, but only for the domains they're assigned to.
A second request was something like a user/app limit per domain (set by the superadmin), so that the group-admin and/or group-manager couldn't add more than 5/10/xx people/apps, so they don't trash the place and keep their resources in check.
This scenario would be for bigger servers that host multiple tenants which shouldn't see the stuff of the other users but can still operate independently.
-
Erm, separate Cloudron instances perhaps?
Web Design https://www.evergreen.je
Development https://brandlight.org
Life https://marcusquinn.com -
@marcusquinn yeah, that's probably what we'll end up doing. Just trying to bootstrap and avoid the cost of another VPS even though Hetzner are so affordable (I've got so many credits for referring people that the cost of another Cloudron sub isn't an issue right now, although of course often that'd be more than the VPS itself)
-
@jdaviescoates I guess depends on the cost-benefit and I don't know enough of your use-case. Personally, I'd more comfortable containing clients by VPS. Overall, it's still a lotta bang for bucks and no more than a Spotify subscription or similar.
I guess if you're doing front-line support you could try haggling for a volume discount on the Cloudron side and those little Hetzner VPSs are pretty mighty eh!
-
Cloudron is currently not designed for shared hosting style setups where "groups" of users can be totally isolated from one another. It's possible to make it like that, but I do think VM level isolation is the more modern and secure way of isolating organizations. If we are to do this, we have to re-think how all the features work in the context of shared setups.
-
@girish said in Per domain user subscription and admin role:
I do think VM level isolation is the more modern and secure way of isolating organizations
As @avatar1024 has also highlighted, there is very often the need to isolate different groups of people working on different projects within the same organisation.
Indeed, aside from very small totally horizontal worker co-ops where everyone had access to everything I can't really think of any examples of organisations where this wouldn't be a common need.
-
@jdaviescoates said in Per domain user subscription and admin role:
As @avatar1024 has also highlighted, there is very often the need to isolate different groups of people working on different projects within the same organisation.
I think I may have not understood the requirements then. Don't cloudron groups offer a way to isolate groups under same org? The original request was domain level isolation. Is that common?
-
@girish Yes you are right that the post started with different domains but this is because I had in mind the case of an organisation that uses separate domains for different activities, with different people being in charge of those different activities. While you are right that Cloudron does a fantastic job as isolating access to apps with the Group feature, as soon as if you give Admin right to someone, then they get full access to everything irrespectively of group / user access rules (which is of course kinda of the point of an admin!).
The issue is that in the case I mentioned, it would still be useful to give some people the ability to at least managed emails, users and apps for their particular domain / area of the organisation.
While this may not be a "common" case, I reckon it is not super rare either.That said, the thread though as kinda of evolved into looking at ways to fine tune the rights of the Admin role rights rather than a split per domain as it started original. Lots of ideas in there. Maybe another intermediate Admin role could be step in that direction to delegate some rights (like email management) to people which would be useful in large organisations (see my second post) without granting full admin rights ?
