Implement a fine-grained permission system

[sgiehl]

Summary

Matomo currently only serves these type of user access: super user, admin, write, view and anonymous.
In addition, there are some capabilities to restrict access to certain tag manager features.

Especially the roles super user and admin are quite broad, and it's not possible to restrict them further.

As we already had a lot different requests related to this topic, I'll try to summarise those requests here and append the list of related issues, so we don't forget them when implementing a new permission system.

Requirements

• Possibility to set fine-graded permissions:

  • per plugin (e.g. Event, Ecommerce, ...)
  • per feature (e.g. Segments, Comparison, ...)
  • per report (e.g. only certain reports, or segments, date ranges, ...)
  • per site (e.g. you can have write permission on site X, but only view on site Y, ...)

• Possibility to create user groups/roles for easier permission management

Before implementing this, the whole permission system needs to be defined in detail, as it can easily become quite complex when e.g. combining access levels per site with anything else. Someone could e.g. be allowed to view a report on one site, but not on another and stuff like this.
To make that configurable easily in the UI, we need to discuss a proper UI/UX approach as well.

Related issues that should be possible to solve with a new permission system

• Advanced user permissions to allow users to view some reports only #3389
• Widgetize: giving access to everybody to view a specific widget (token_auth on a per widget basis) #5703
• Move methods that verify user permissions from Piwik into another class #6585
• Advanced access rules for each user #6660
• An admin user should be able to share a segment by selecting "This segment is visible to: Any users viewing this website" #6844
• (Provide a way for a type to rename any report and to disable/enable reports #7823)
• do not allow to set access to non existing websites #8697
• Add config option to globally disable possibility of granting anonymous access #10233
• Semi-superuser level / allow configuration but no analytics #11149
• Allow users to request admin (or other) permissions #13139
• Restrict user access to certain segments only #14570
• Provide ability to restrict auth tokens to site, access, scope #15368
• Access rights to segments only #16099
• Add option for User Groups #18681
• Add possibility to define data restrictions, for example revenue, IP, ... #19074
• Make a single widget or dashboard available to anonymous user #19424
• Advanced user permissions, or a new user category, to allow users to make heatmap/custom report as View user #19894
• Add ability to restrict users access to a specific start date #20135
• Option to disable "Admin" permission users ability to Add new users to Matomo #20487
• A user with a view access can write an annotation #20716
• Option to disable "Admin" permission users ability to Add further "Admin" users to Matomo #21651
• Goal restrictions: make them available for some users only #22122

replaces #1568

[mikkeschiren]

The currently limited user permissions could in some cases be a security issue - like when using API to export data to an endpoint, and if someone just changes the parameters, data that never should be exposed outside of Europe (as an example - like GDPR restrictions), could be exposed. To solve this we have in some cases needed to write our endpoint, to restrict the data transferred.

[atom-box]

(A user emailed us: "This looks very good. The following requirements are missing"...)

• Now: only users with at least admin rights can make segments available to all users. Feature request: An option to allow users with the "write" role to also make segments available to all users.
• Now: only users with at least admin rights can share dashboards. Feature request: An option to allow users with the "write" role to share dashboards.

We don't want to grant many admin rights, it would make sense if users with the "write" role could do these things.

[atom-box]

A user asked for this feature.

Is there any way to limit... segment settings so only admins can create?