Managing User Rights and Roles

Starting with version 4.0.7.5 the 'opsi-configed' includes the user roles function.

In order to use this feature the module user roles must be activated in the modules_-file.

In the interface, in the overview of the server host parameters, the category user shows the availability of the function (not necessarily active). The user branch of the properties tree starts with a boolean entry

user.{}.register

with default value false.

The other entries at this location represent the default values for the user-specific configurations of the server console.

To activate the user role extension you need to:

  1. Set the value of user. {}.register to true.

  2. Load a modules file that has the userroles extension temporarily or permanently activated.

When the user-role extension is activated, an entry is created in the properties tree for the logged-in user. The default settings used for the administration of rights are like the "classic" requirements for an administrator, that means, that this user has no restriction whatsoever. E.g., for a user named admindepot1 the following entries are generated:

user.{admindepot1}.privilege.host.all.registered_readonly	[false]
user.{admindepot1}.privilege.host.depotaccess.configured	[false]
user.{admindepot1}.privilege.host.depotaccess.depots		[]
user.{admindepot1}.privilege.host.opsiserver.write 		[true]

These four items mean:

  • admindepot1 is not restricted to read-only access to the server (a pure read-only access might be appropriate for a help desk staff member);

  • depot restrictions do not exist or are not taken into account;

  • consequently, the list of depots available to the user can stay empty (and if some depots are entered, this has no effect);

  • the user is allowed to edit config server settings of all kinds.

In the case that the access of admindepot1 is to be restricted to the computers in the depot server depot1, the following should be set:

  • host.depotaccess.configured is to be set to true;

  • the value "depot1" is to be put into the list host.depotaccess.depots.

After a complete data reload, clients from other depots are not more visible to admindepot1 (and also only the depot settings for depot1 are accessible).

admindepot1 him/herself can change this settings as long as she/he owns the privilege host.opsiserver.write

In order to complete the restriction, it therefore is required to set

  • host.opsiserver.write to false.

The privileges which are set in this way restrict only the functionality of the 'opsi-configed'. Until further notice, they have no effect if the JSON-RPC interface of the opsi-server is accessed by other means.