OPNsense Forum

Archive => 16.1 Legacy Series => Topic started by: fredbloggs on March 25, 2016, 10:53:04 pm

Title: Is it possible to restrict what a user can do on the interface?
Post by: fredbloggs on March 25, 2016, 10:53:04 pm

Hi,

Am a newby, but looking for a firewall that allows us to perform a few restrictions.

For example, whilst I obviously want a super-user god like account to manage everything, I'd also like to be able to restrict what certain people can do in the web interface.

i.e. so that they can't change any details under Interfaces or add virtual IP's under Firewall.  Even if I'm required to  change a setting to make them temporarily available/hidden in the UI.

Going forwards, I guess a FR would be required to allow delegated administration to each component to grant the most flexibility.

Thanks
Mark

Title: Re: Is it possible to restrict what a user can do on the interface?
Post by: Zeitkind on March 26, 2016, 02:41:30 am

Look at groups and their permissions
System: Access: Groups - System Privileges

Title: Re: Is it possible to restrict what a user can do on the interface?
Post by: fredbloggs on March 26, 2016, 03:47:39 am

thanks, I looked there but didn't notice the add roles, thought it was just for VPNs etc.

Just need to work out which are required (at present the user has some assigned) as I'm getting a
web page can't be found error, http://10.3.3.201/.widget.php unless I grant access to WebCfg - All pages, which then grants access to all pages and not just those desired.

Any ideas?

Title: Re: Is it possible to restrict what a user can do on the interface?
Post by: franco on March 26, 2016, 07:29:16 pm

So the idea behind the system is: with both groups and users you can assign privileges. Groups are simply used to define reusable rules as you put it. The privileges are per page and some special cases like logins away from the GUI itself. You can find the privilege assignments in the group or user edit screen.

In order to get a viable dashboard user you need:

WebCfg - Dashboard (all)
WebCfg - Dashboard widgets (direct access)

The config deny privilege is also good for read-only access...

Title: Re: Is it possible to restrict what a user can do on the interface?
Post by: fredbloggs on March 29, 2016, 05:04:39 am

I must be missing something.  As soon as I give someone those rights they have rights to everything.

Should I be able to give an account limited access without those.

Title: Re: Is it possible to restrict what a user can do on the interface?
Post by: franco on March 29, 2016, 03:05:09 pm

Maybe you assigned the "admins" group to the user? When you create a new user and add the privileges, I can only see the firewall log and the dashboard in the menu (apart from the help links which don't require privileges).

If you can't seem to find the issue please run us through your user creation sequence and/or post screenshots.