2020-09-18 19:11:15 +02:00
# User groups and permissions
2019-09-13 19:09:43 +02:00
2020-04-06 15:23:46 +02:00
You can access the *groups and permissions* management interface from the webadmin
2020-03-28 01:55:03 +01:00
by going into the 'Users' section and clicking the corresponding button:
![](./images/button_to_go_to_permission_interface.png)
2019-09-13 19:09:43 +02:00
2020-09-18 19:11:15 +02:00
## Managing groups
2019-09-13 19:09:43 +02:00
2020-09-18 19:11:15 +02:00
The group mechanism can be used to define groups of users which then can be used to restrict permissions for applications and other services (such as mail or XMPP). Note that it is *not* mandatory to create a group to do so: you can also restrict access to an app or service on a user-per-user basis.
2019-09-13 19:09:43 +02:00
2020-04-06 15:43:20 +02:00
Using groups is however useful for semantics, for example if you host multiple groups of friends, associations or businesses on your server, you might want to create groups like `association1` and `association2` and add members of each association to the relevant group.
2019-09-13 19:09:43 +02:00
2020-04-06 15:23:46 +02:00
### Default groups
By default, two special groups are created:
- `all_users` , that contain all users registered on YunoHost,
2020-04-06 15:43:20 +02:00
- `visitors` , that applies to people viewing the server while not logged in.
2020-04-06 15:23:46 +02:00
The content of those groups cannot be changed, only the permissions given to them.
2019-09-13 19:09:43 +02:00
### List existing groups
2020-04-06 15:23:46 +02:00
The existing groups are listed at the top of the *groups and permissions* page.
![](./images/groups_default-groups.png)
To list the currently existing groups in CLI :
2019-09-13 19:09:43 +02:00
2020-04-20 19:17:40 +02:00
```shell
2019-09-13 19:09:43 +02:00
$ yunohost user group list
2019-10-09 23:31:50 +02:00
groups:
all_users:
members:
2019-09-13 19:09:43 +02:00
- alice
- bob
- charlie
- delphine
```
### Creating a new group
2020-04-06 15:23:46 +02:00
To create a new group, simply click on the "New Group" button at the top of the page. You may only choose a name formed with letters (uper- and lowercase) and spaces. The group is created empty and without any permission.
![](./images/groups_button-new-group.png)
In CLI, to create a new group called `yolo_crew`
2019-09-13 19:09:43 +02:00
2020-04-20 19:17:40 +02:00
```shell
2019-09-13 19:09:43 +02:00
$ yunohost user group create yolo_crew
```
2020-04-06 15:23:46 +02:00
### Updating a group
Let's add a first to this group: in the group panel, click the button "add a user" and scroll to the desired user, then click on it.
![](./images/groups_button-add-user.png)
To remove a user, click on the cross next to their username, in the group panel.
![](./images/groups_button-remove-user.png)
In CLI, use the following command to add `charlie` and `delphine` to the `yolo_crew` group:
2019-09-13 19:09:43 +02:00
2020-04-20 19:17:40 +02:00
```shell
2019-09-13 19:09:43 +02:00
$ yunohost user group update yolo_crew --add charlie delphine
```
(similarly, `--remove` can be used to remove members from a group)
2020-09-18 19:11:15 +02:00
Now in the group list we should see:
2019-09-13 19:09:43 +02:00
2020-04-20 19:17:40 +02:00
```shell
2019-09-13 19:09:43 +02:00
$ yunohost user group list
groups:
all_users:
members:
- alice
- bob
- charlie
- delphine
yolo_crew:
members:
- charlie
- delphine
```
### Deleting groups
2020-04-06 15:23:46 +02:00
To delete a group, click on the red cross on the top right of the group panel. You will be asked for confirmation.
![](./images/groups_button-delete-group.png)
To delete the group `yolo_crew` in CLI, you may run
2019-09-13 19:09:43 +02:00
2020-04-20 19:17:40 +02:00
```shell
2019-09-13 19:09:43 +02:00
$ yunohost user group delete yolo_crew
```
2020-09-18 19:11:15 +02:00
## Managing permissions
2019-09-13 19:09:43 +02:00
2020-09-18 19:11:15 +02:00
The permission mechanism allow to restrict access to services (for example mail, XMPP...) and apps, or even specific parts of the apps (for example the administration interface of WordPress).
2019-09-13 19:09:43 +02:00
### List permissions
2020-04-06 15:23:46 +02:00
The groups page lists the permissions given to each group, including the special groups `all_users` and `visitors` .
![](./images/groups_default-with-permissions.png)
To list permissions and corresponding accesses in CLI:
2019-09-13 19:09:43 +02:00
2020-04-20 19:17:40 +02:00
```shell
2019-09-13 19:09:43 +02:00
$ yunohost user permission list
2019-10-09 23:31:50 +02:00
permissions:
mail.main:
2019-09-13 19:09:43 +02:00
allowed: all_users
2019-10-09 23:31:50 +02:00
wordpress.admin:
allowed:
wordpress.main:
2019-09-13 19:09:43 +02:00
allowed: all_users
2019-10-09 23:31:50 +02:00
xmpp.main:
2019-09-13 19:09:43 +02:00
allowed: all_users
```
2020-09-18 19:11:15 +02:00
Here, we find that all registered users can use email, XMPP, and access the WordPress blog. However, nobody can access the WordPress admin interface.
2019-09-13 19:09:43 +02:00
More details can be displayed by adding the `--full` option which will display the list of users corresponding to groups allowed, as well as urls associated to a permission (relevant for web apps).
### Add accesses to group or users
2020-04-06 15:23:46 +02:00
To add a permission to a group, simply click the "+" button in the group panel, scroll to the desired permission, then click on it.
![](./images/groups_add-permission-group.png)
2020-09-18 19:11:15 +02:00
To allow a group to access the WordPress admin interface in CLI:
2019-09-13 19:09:43 +02:00
2020-04-20 19:17:40 +02:00
```shell
2019-09-13 19:09:43 +02:00
$ yunohost user permission update wordpress.admin --add yolo_crew
```
2020-04-06 15:43:20 +02:00
Note that you can also allow a single user, by using the specific panel at the bottom of the page.
2020-04-06 15:23:46 +02:00
![](./images/groups_add-permission-user.png)
or in CLI:
2019-09-13 19:09:43 +02:00
2020-04-20 19:17:40 +02:00
```shell
2019-09-13 19:09:43 +02:00
$ yunohost user permission update wordpress.admin --add alice
```
2020-09-18 19:11:15 +02:00
And now we may see that both the YoloCrew and Alice have access to the WordPress admin interface:
2019-09-13 19:09:43 +02:00
2020-04-20 19:17:40 +02:00
```shell
2019-09-13 19:09:43 +02:00
$ yunohost user permission list
[...]
wordpress.admin:
allowed:
- yolo_crew
2019-10-17 17:46:16 +02:00
- alice
2019-09-13 19:09:43 +02:00
[...]
```
2020-09-18 19:11:15 +02:00
Note that, for example, if we want to restrict permission for email so that only Bob is allowed to email, we should also remove `all_users` from the permission, by deleting it from the `all_users` group panel, or in CLI:
2019-09-13 19:09:43 +02:00
2020-04-20 19:17:40 +02:00
```shell
2019-09-13 19:09:43 +02:00
$ yunohost user permission update mail --remove all_users --add bob
```
2021-01-06 19:03:48 +01:00
Note that some permissions may be "protected", meaning that you won't be able to add/remove the visitor group to this permission. Generally, this is because it would make no sense (or is a security risk) to do so.
2020-04-23 15:54:38 +02:00
2020-04-06 15:43:20 +02:00
The webadmin will issue a warning if you set a permission that is superseeded by a wider permission.
2020-06-14 17:19:42 +02:00
2020-04-06 15:43:20 +02:00
![](./images/groups_alerte-permission.png)
2021-01-06 19:03:48 +01:00
### Hide/display specific tiles in the user portal
2020-04-23 15:54:38 +02:00
2021-01-08 08:48:09 +01:00
Since YunoHost 4.1, you can choose to hide/display specific tiles in the SSO. In the webadmin, you can do so by going in the corresponding app view, go in "Manage label and tiles" and check/uncheck the option "Display the tile in the user portal" for the corresponding permission. In command line, this may be done with:
2020-04-23 15:54:38 +02:00
```shell
2021-01-08 08:48:09 +01:00
# Enable the tile for the WordPress admin interface
2020-04-23 15:54:38 +02:00
$ yunohost user permission update wordpress.admin --show_tile True
```