read only user

[naltalef]

Hi.

I'm trying to configure a read-only group.
In the group privileges I selected:

All Pages
System: Deny config write.

It works fine, but there are some exceptions like:

Firewall Alias that can be modified
Services like snmp, ftpproxy and monit also can be modified (I did not try all but Network Time remains readonly for example).

I would like to know  which is the correct way to assign readonly permissions for a group or user.

Many thanks

[fabian]

The difference is probably legacy/API as this is a feature of the old pages.

[franco]

There's a fix here https://github.com/opnsense/core/commit/3af02197b884 but we're not going to add any urgency to this as we said this previously:

https://github.com/opnsense/changelog/blob/a2119f5cfcb92bd08a7af50575543662cb71212a/doc/18.7/18.7.7#L13-L18

The "privilege" to take away privilege is deeply flawed from the get go and we'll just be continuing to patch this up again and again if it is not replaced by a better solution which could happen in 19.7, but we're not 100% sure as of yet.


Cheers,
Franco

[naltalef]

Hi Franco/Fabian.

Thanks for the reply.
I understand perfectly what are you saying and I can survive without this.
It will be safer for us create a test machine where the user can learn and become familiar with the interface.

Regards
Norberto