Author Topic: Privileges only to certain parts of the GU (Read 3016 times)

kpiq · « **on:** April 27, 2023, 08:28:57 pm »

Folks

I've set up OPNsense with the voucher server, and login on the Captive Portal works just fine, thanks! But, my people are in an environment where I would prefer not to have to login as root to generate the vouchers. It would be preferrable to create a user with just enough (and not more) access/privilege to the Web GUI to generate the vouchers, expire, and drop them.

Your user manual (https://docs.opnsense.org/manual/how-tos/user-local.html) states:

Quote

"With the local user manager of OPNsense one can add users and groups and define the privileges for granting access to certain parts of the GUI (Web Configurator)"

The first thing is, users that are not members of the "admins" group can't login to the web GUI. It would be convenient for an unprivileged user to login, be directed to the preferred landing page (ui/captiveportal/voucher) and be limited to that and only that.

Where are the instructions to limit user/group privileges only to certain parts of the GUI?

Regards

Pedro Serrano

kpiq · « **Reply #1 on:** April 27, 2023, 08:43:55 pm »

This is just like reaching out for the car door the instant it locks with the keys inside...

When you edit the group (System: Access: Groups) scroll down to the "Assigned Privileges" section and add the required privileges.

Now, it is not as granular as it could be. There isn't a privilege to the Vouchers screen. You get privileges to the Captive Portal page, but can't limit it further.

Are there plans to further break down the privileges?

franco · « **Reply #2 on:** April 27, 2023, 09:40:42 pm »

While I admit that I don't follow all the logic here the answer to your last question is: no.

Cheers,
Franco

kpiq · « **Reply #3 on:** April 28, 2023, 03:05:50 am »

Cheers, and thanks for your attention!

franco · « **Reply #4 on:** April 28, 2023, 08:34:41 am »

The ACL files are extensible actually... the current one is https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/models/OPNsense/CaptivePortal/ACL/ACL.xml but you can tweak access by specific API endpoints... the only caveat is that the GUI page tries to show all so you end up with partial data. It's tailored for full captive portal admins and not being a captive portal solution the approach is pragmatic but reasonable.

Cheers,
Franco

netsetup · « **Reply #5 on:** January 16, 2024, 05:00:36 pm »

I solved this problem by reading this:
https://forum.opnsense.org/index.php?topic=3431.0

Author Topic: Privileges only to certain parts of the GU (Read 3016 times)

kpiq

Privileges only to certain parts of the GU

kpiq

Re: Privileges only to certain parts of the GU

franco

Re: Privileges only to certain parts of the GU

kpiq

Re: Privileges only to certain parts of the GU

franco

Re: Privileges only to certain parts of the GU

netsetup

Re: Privileges only to certain parts of the GU