CrushFTP-specific terms used in this wiki, and related:
An administrator can can delegate administration allowing a limited administrator to create and manage users in their group, and assign folders that they themselves have access to. We'd call this administrator a Restricted Admin account.
First need to create a user Group with the corresponding Group Template account. This latter is to be assigned some top level VFS directory under which the group member users will have their own working directories later on. The same VFS is to be granted to the Restricted Admin, these two settings together will confine both the admin and the group members under that directory, with no escalation possible. This only works for local files.
11.2.2_10+ Supports Connection Profiles at User Manager too. Using Connection Profiles the Restricted Admin can assign remote locations to the group members.
Then grant the admin on the Setup Roles panel the Remote User Only Administration (Limited) role permission, the group name to administer, and eventually restrict the admin roles even further on the Setup Permissions ( limited admin only) panel.
In CrushFTP v10 we now support multiple groups for the same admin. Each group has to have designated it's own Group Template account, and the VFS directories assigned to these need also to be granted to the Restricted Admin, or this latter to be pointed to an upper-level directory.
With the Restricted Admin scenario functional:
1.) If the user is not a member of the group, the change is rejected.
2.) If the home folders being specified are not a subfolder of the home directory that the group user can access, the change is rejected.
3.) If the change involves adding an event to a user that specifies a "plugin" action, the change is rejected.
4.) Other admin escalation permissions are denied too.
These are done to enforce security and prevent privilege escalation. Any attempted violation is logged in the server log for audit purposes.
Finally, the view from a limited admin when they log in. Please note the group selector in the top-center area.
These are done to enforce security and prevent privilege escalation.
- Groups
- a logical way to organize user accounts, our term for an Organizational Unit equivalent. There is a separate wiki on this
- Inheritance
- a way to automatically apply user settings from one user to another. The term roots in object oriented programming. There is a separate wiki on this
- Group Template account
- inheritance parent or archetype account, that parents inheritance for a group of user accounts
- VFS Linking
- loosely related to inheritance, a pointer to a VFS directory of another user account, there is a separate wiki on this
An administrator can can delegate administration allowing a limited administrator to create and manage users in their group, and assign folders that they themselves have access to. We'd call this administrator a Restricted Admin account.
First need to create a user Group with the corresponding Group Template account. This latter is to be assigned some top level VFS directory under which the group member users will have their own working directories later on. The same VFS is to be granted to the Restricted Admin, these two settings together will confine both the admin and the group members under that directory, with no escalation possible. This only works for local files.
11.2.2_10+ Supports Connection Profiles at User Manager too. Using Connection Profiles the Restricted Admin can assign remote locations to the group members.
Then grant the admin on the Setup Roles panel the Remote User Only Administration (Limited) role permission, the group name to administer, and eventually restrict the admin roles even further on the Setup Permissions ( limited admin only) panel.
tab
 |
tab
 |
tab
 |
In CrushFTP v10 we now support multiple groups for the same admin. Each group has to have designated it's own Group Template account, and the VFS directories assigned to these need also to be granted to the Restricted Admin, or this latter to be pointed to an upper-level directory.
With the Restricted Admin scenario functional:
1.) If the user is not a member of the group, the change is rejected.
2.) If the home folders being specified are not a subfolder of the home directory that the group user can access, the change is rejected.
3.) If the change involves adding an event to a user that specifies a "plugin" action, the change is rejected.
4.) Other admin escalation permissions are denied too.
These are done to enforce security and prevent privilege escalation. Any attempted violation is logged in the server log for audit purposes.
Finally, the view from a limited admin when they log in. Please note the group selector in the top-center area.
 |
These are done to enforce security and prevent privilege escalation.
Add new attachment
Only authorized users are allowed to upload new attachments.
List of attachments
| Kind | Attachment Name | Size | Version | Date Modified | Author | Change note |
|---|---|---|---|---|---|---|
jpg |
admin_restricted_base.jpg | 523.6 kB | 1 | 05-Dec-2023 05:32 | Ada Csaba | |
jpg |
admin_restricted_permissions.j... | 206.3 kB | 1 | 05-Dec-2023 05:32 | Ada Csaba | |
jpg |
admin_restricted_roles.jpg | 338.8 kB | 1 | 05-Dec-2023 05:32 | Ada Csaba | |
jpg |
admin_restricted_view.jpg | 176.4 kB | 1 | 05-Dec-2023 05:32 | Ada Csaba | |
png |
connection_profile_restricted_... | 123.5 kB | 1 | 30-Oct-2024 05:12 | krivacsz | |
png |
group_template_user.png | 63.0 kB | 1 | 30-Oct-2024 05:09 | krivacsz | |
png |
limited_admin.png | 50.1 kB | 3 | 05-Dec-2023 05:32 | Ben Spink | |
png |
limited_group.png | 45.5 kB | 1 | 05-Dec-2023 05:32 | Ben Spink | |
png |
limited_view.png | 55.3 kB | 1 | 05-Dec-2023 05:32 | Ben Spink |
«
This page (revision-36) was last changed on 30-Oct-2024 05:13 by krivacsz
G’day (anonymous guest)
Log in
CrushFTP11 | What's New
- WebInterface
- Server Admin
- User Manager
- Client Apps
- CrushBalance Load Balancer
- High Availability
- Self Registration
- Preferences
- Email Templates
- Restrictions
- Replication
- Banning
- Logging
- Encryption
- Alerts
- Folder Monitor
- Tunnels
- Syncs
- User Config
- Search Config
- Preview
- Misc
- Plugins
- Manage Shares
- PGP
- Telnet
- FAQ
- API
- Linux Install
- Virtual Linux Server
- Server Variables
- Google Authenticator and Microsoft Authenticator
- AS2 EDI
JSPWiki