-
-
Notifications
You must be signed in to change notification settings - Fork 253
User management
The current user management setup is fairly new. Because of this, some of the details may not be working as expected. If you have ideas on improving the new user management setup, be sure to discuss them on the mailinglist. These permission templates were introduced in version 2.0.0.
Basically, it allows you to have two levels of users. You have ueberusers, which are users that can do anything within the interface and you have users with limited rights.
How much each of the users is allowed to do, can be managed using the permission templates. These templates are build up from a set of permissions. Each of the permissions allows the user one ore more things. One permission allows the user to see the contents of zones the user owns. Another permission allows the user to edit zones he doesn't own. And even another permission allows the users to create new supermasters. By adding or removing those permissions to a template and assigning a template to a user, you can control a users rights.
The permission user_is_ueberuser overrules any other permission the user may or may not have been assigned. It gives the user full access to anything that otherwise would require the assignment of some kind of permission. This is normally the kind of permission that an administrator has - and no one else.
Ownership is just a phrase to denote zones the user is marked owner for. It does not imply any privileges for these zones. These privileges are set using one or more of the permissions added to the template the user has been assigned. A user can be owner for one or more zones, but if the user has not been assigned any view permissions for own zones, these zones won't show up on the users screen. Not that it would make a lot of sense, of course.
Why can't users be assigned partial (edit) access to zones? Poweradmin takes it that if you have edit permissions for a zone, you would have enough rights to break the zone entirely. Even if you would have partial access (which is not possible), such a user would be able create severe damage. Because of this Poweradmin presumes that if a user can be trusted to edit a zone, the user can be trusted to have delete permissions as well.
Be aware that adding the user_edit_templ_perm, templ_perm_edit or user_add_new permission to a template will give any user that has this template assigned indirectly user_is_ueberuser right. A user that as been assigned one of these three permissions is able to edit his or her own templates or to create a new user with godlike permissions.
Anyone with root shell access to the server running the Poweradmin web interface or the PowerDNS database server, has ueberuser rights.