[Owncloud] group admins and user creation privilege

Michael mike at draftx.net
Wed Apr 24 15:13:11 UTC 2013


Is there any reason why we don't use an full RBAC(Role Based Access
Control) implementation so that groups could be granted any priviledges? We
could separate many admin functions so that different use cases could pick
and choose what certain users could create. For example, help desks should
be able to create users and modify but not do much more to the installation
itself.

If we went to an RBAC model, many of the questions that come up(can I make
a group/user only have this permission) would be addressed.
Mike


On Wed, Apr 24, 2013 at 6:31 AM, Erwin Rennert <rennert at zsi.at> wrote:

> On 04/24/2013 11:52 AM, Andreas Ergenzinger wrote:
>
>> Hello everyone,
>>
>> I would like to know what people's feelings are about the ability of
>> subadmins (a.k.a. group admins) to create new user accounts. Should
>> all subadmins always be able to do that? Or should that privilege
>> require explicit permission from the (super) admin, possibly on an
>> individual basis.
>>
>
> Hi!
> I believe use cases vastly differ.
> I would prefer the super admin being able to decide, whether the group
> admin may create users.
>
> However, there are a number of other questions regarding groups and their
> administration.
>
> * As of now, IF a group admin knows the exact user ID of another user on
> the system, s/he may actually add this user to his/her group by "creating"
> a userID with a random password.
> ** Is this desirable?
> * The group admin may also extend or reduce the user's quota.
> ** In my view this is definitely undesirable. The quota should stick at
> the default setting, or even better, the site admin should set a group
> quota.
> * Group quota: Here we go!
> ** there is a feature request: https://github.com/owncloud/**
> core/issues/1347 <https://github.com/owncloud/core/issues/1347>
> ** Now in my view, existing users should be exempt from the group quota;
> after all they may be members of various groups.
>
> Lots of difficult questions.
>
> Yours,
> Erwin
>
>
>
>
>> I am asking because I see a conflict here, between using groups with
>> subadmins and the admin's desire to manage the whole user base with
>> user backends.
>>
>> Since I would like to have both, I would be willing to implement the
>> necessary changes, but I would like to know the exact requirements
>> first and whether this has any chance of making it to the core.
>>
>> Cheers, Andreas ______________________________**_________________
>> Owncloud mailing list Owncloud at kde.org
>> https://mail.kde.org/mailman/**listinfo/owncloud<https://mail.kde.org/mailman/listinfo/owncloud>
>>
>
>
> --
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> Erwin Rennert, IT Services
> Center for Social Innovation
>
> A-1150 Wien, Linke Wienzeile 246
> Austria, Europe
>
> Phone: ++43-1-495 04 42 - 61
> Facsimile: ++43-1-495 04 42 - 40
> http://www.zsi.at/
>
>
> ______________________________**_________________
> Owncloud mailing list
> Owncloud at kde.org
> https://mail.kde.org/mailman/**listinfo/owncloud<https://mail.kde.org/mailman/listinfo/owncloud>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/owncloud/attachments/20130424/a847d254/attachment.html>


More information about the Owncloud mailing list