Managing User Rights and Roles

Starting with version 4.0.7.5, opsi-configed provides the user roles feature.

This module is currently a paid extension. This means that you need a license file to unlock it. You will receive this file after you have purchased the extension. For evaluation purposes, we’re happy to provide you with a temporary license free of charge. Please contact us via email.

In the interface, the existence of the user category in the overview of the server host parameters indicates that this feature is available (but not necessarily active yet). In the property tree, the primary Boolean entry directly under user is:

user.{}.register

with the default value false.

The other entries in this section of the property tree define the default values for the user-specific configuration of the server console (see opsiconfiged Server Console).

Activating the User Roles Functionality

To activate the feature:

Set user.{}.register to true
Import a license file that temporarily or permanently enables the userroles feature

When the functionality is active, an entry is created in the property tree for the logged-in user. The default settings correspond to the classic administrator permissions, i.e., no restrictions are applied initially. Example for the user admindepot1:

user.{admindepot1}.privilege.host.all.registered_readonly	[false]
user.{admindepot1}.privilege.host.depotaccess.configured	[false]
user.{admindepot1}.privilege.host.depotaccess.depots		[]
user.{admindepot1}.privilege.host.opsiserver.write		    [true]

These entries mean:

The user does not have read-only access only
Depot restrictions do not exist or are not enforced
The list of accessible depots can remain empty (as long as depotaccess.configured is false, any selection has no effect)
The user may edit all config server settings

If access should be limited to a specific depot (e.g., depot1):

Set host.depotaccess.configured to true
Set host.depotaccess.depots to ["depot1"]

After a full data reload, only clients and depot settings for depot1 will be visible.

Notice on Permissions

Note: admindepot1 can lift all restrictions as long as host.opsiserver.write is set to true. To fully enforce restrictions, host.opsiserver.write must be set to false.

Read-only Access

A user with read-only access can only use the interface in a view-only mode. This means: - No changes to data or configuration can be made - Functions requiring write permissions are not available - Only information visible in the system can be viewed

Limitation on Other Access Methods

The privileges configured in this way only apply to the functionality of opsi-configed. Other access methods to the opsi-server’s JSON-RPC interface are currently not affected.

Integrating AD/Linux User Groups into opsi

To integrate Active Directory (AD) or Linux user groups into opsi, the opsi configuration opsi.roles can be used. This configuration ensures that users are automatically assigned to a corresponding role when logging into an opsi server. For this purpose, the names of the AD or Linux user groups are stored in the configuration opsi.roles. The configuration opsi.roles is a simple list of groups. These groups can be AD groups as well as local Linux groups. When a user logs in and is a member of one of these groups, he is automatically assigned the corresponding role.

Procedure:

Creating the Configuration First, the opsi configuration opsi.roles is created. This configuration is used to define roles that are associated with AD or Linux user groups. Each role defined in the configuration corresponds to a user group.
User Login Once a user logs in and is assigned to one of the roles defined in the opsi configuration opsi.roles, this role is automatically assigned to the user in the opsi system.
Automatic Role Creation If one of the defined roles does not yet exist in opsi, it will be automatically created upon the user’s first login. After the role is created, the permissions for this role can be configured.