Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
16.1 Legacy Series
»
Is it possible to restrict what a user can do on the interface?
« previous
next »
Print
Pages: [
1
]
Author
Topic: Is it possible to restrict what a user can do on the interface? (Read 8980 times)
fredbloggs
Newbie
Posts: 7
Karma: 0
Is it possible to restrict what a user can do on the interface?
«
on:
March 25, 2016, 10:53:04 pm »
Hi,
Am a newby, but looking for a firewall that allows us to perform a few restrictions.
For example, whilst I obviously want a super-user god like account to manage everything, I'd also like to be able to restrict what certain people can do in the web interface.
i.e. so that they can't change any details under Interfaces or add virtual IP's under Firewall. Even if I'm required to change a setting to make them temporarily available/hidden in the UI.
Going forwards, I guess a FR would be required to allow delegated administration to each component to grant the most flexibility.
Thanks
Mark
«
Last Edit: March 26, 2016, 01:28:44 am by fredbloggs
»
Logged
Zeitkind
Full Member
Posts: 180
Karma: 27
Re: Is it possible to restrict what a user can do on the interface?
«
Reply #1 on:
March 26, 2016, 02:41:30 am »
Look at groups and their permissions
System: Access: Groups - System Privileges
Logged
fredbloggs
Newbie
Posts: 7
Karma: 0
Re: Is it possible to restrict what a user can do on the interface?
«
Reply #2 on:
March 26, 2016, 03:47:39 am »
thanks, I looked there but didn't notice the add roles, thought it was just for VPNs etc.
Just need to work out which are required (at present the user has some assigned) as I'm getting a
web page can't be found error,
http://10.3.3.201/.widget.php
unless I grant access to
WebCfg - All pages
, which then grants access to all pages and not just those desired.
Any ideas?
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: Is it possible to restrict what a user can do on the interface?
«
Reply #3 on:
March 26, 2016, 07:29:16 pm »
So the idea behind the system is: with both groups and users you can assign privileges. Groups are simply used to define reusable rules as you put it. The privileges are per page and some special cases like logins away from the GUI itself. You can find the privilege assignments in the group or user edit screen.
In order to get a viable dashboard user you need:
WebCfg - Dashboard (all)
WebCfg - Dashboard widgets (direct access)
The config deny privilege is also good for read-only access...
Logged
fredbloggs
Newbie
Posts: 7
Karma: 0
Re: Is it possible to restrict what a user can do on the interface?
«
Reply #4 on:
March 29, 2016, 05:04:39 am »
I must be missing something. As soon as I give someone those rights they have rights to everything.
Should I be able to give an account limited access without those.
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: Is it possible to restrict what a user can do on the interface?
«
Reply #5 on:
March 29, 2016, 03:05:09 pm »
Maybe you assigned the "admins" group to the user? When you create a new user and add the privileges, I can only see the firewall log and the dashboard in the menu (apart from the help links which don't require privileges).
If you can't seem to find the issue please run us through your user creation sequence and/or post screenshots.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
16.1 Legacy Series
»
Is it possible to restrict what a user can do on the interface?