PW3 - Non-Superuser Roles Administration

[ridgedale]

Reference: PW 3.0.111 and uikit3 based site using the Regular-Master profile.

I wonder if anyone might be able to point me in the right direction. I need to restrict the superuser role to overall administrators of a group of sites, but provide role and permission administration for the administrators of the individual sites. My searches unearthed the following thread:

However, after having already created the sitemanager role and given site administrators the user-admin permission and having then created the role-admin permission and assigned that to the sitemanager role, the users with sitemanager permissions are able to see the Roles item under the Access menu of the backend but no submenu is displayed showing the Add Role option or any of the roles that the administrator should have access to. My intention is that the individual site adminstrators should have access to assign the guest and sitemanager roles (but not edit them) and be able to create roles with privileges beneath that of sitemanager.

Any advice would be greatly appreciated.

 

[Robin S]

It's explained in this blog post: https://processwire.com/blog/posts/new-user-admin-permissions-automatic-version-change-detection-and-more-2.6.10/#new-user-admin-permissions

[ridgedale]

Hi @Robin S ,

Thanks again for responding.

What I was doing was following the guidelines provided here: https://processwire.com/api/user-access/permissions/#user-admin-permissions

I had missed the following little nugget of information:

Quote

... a user must have that (user-admin-all (my addition for clarity) permission (in addition to user-admin permission) in order to edit "all" users in the site (superusers excluded, as before)

Now that the sitemanager can add/remove users s/he still does not have any access to add/remove roles or assign permissions despite the role-admin permission having been added and assigned to sitemanager. The Role menu item is displayed but no sub-menus are available and no Permissions menu is displayed at all.

Not sure what I'm doing wrong, now. Any guidance appreciated.

[Robin S]

Right, I understand now. You are wanting to give a role (let's call the role "manager") the ability to edit roles/permissions and add new roles/permissions.

First thing to know is that in doing this you would be going well off the map of what is documented in ProcessWire and straying into some potentially dangerous territory. Normally only superusers manage roles and permissions, and if you decide to deviate from that you'll want to do your own thorough testing. It sounds risky to me and not something to be done lightly.

But I took a look at what's needed to enable this and it seems that the steps are...

Manage roles

1. Create new permission "role-admin".

2. Give this permission to the manager role.

3. Open the "role" template at Setup > Templates (you'll need to show system templates in the filter section). On the Access tab allow the manager role to "Edit Pages" and "Add Pages".

4. Open the "admin" template, and on the Access tab allow the manager role to "Add Children".

Manage permissions

1. Create new permission "permission-admin".

2. Give this permission to the manager role.

3. Open the "permission" template at Setup > Templates (you'll need to show system templates in the filter section). On the Access tab allow the manager role to "Edit Pages" and "Add Pages".

4. Open the "admin" template, and on the Access tab allow the manager role to "Add Children". You can skip this step if you already did it.

[ridgedale]

Hi @Robin S ,

Thank you again for your reply and detailed instructions.

I am very conscious of the potential pitfalls. What I am aiming to achieve overall is that sitmanagers only have control to manage roles and assign permissions that are equal to and beneath their own assigned rights. I hope that makes sense.

The reason for not allowing sitemanagers to be superusers in this particular instance is that it is a multi-site installation where we don't want sitemanagers creating/editing/deleting templates/fields/logs and/or installing modules. All the sites are effectively run using identical templates and modules. If we allow sitemanagers that level of control it will inevitably lead to an administrative nightmre for the superusers in the long run.

I will delve deeper and look further into this.

Many thanks again for your guidance.

[ridgedale]

Update:

I can see adding the permission-admin permission to the sitemanager role gives the sitemanager access to all site permissions effectively allowing him/her to create a superuser equivalent role. That is definitely not what I am aiming for.

Is it possible to restrict the permissions the sitemanager can give/remove to those assigned to the sitemanager role?

Otherwise are there any alternative suggestions as to how to restrict sitemanager access, so s/he does not have access to modules, templates, fields and logs, but can manage users, roles and permissions at their own level or below?

 

[kongondo]

Maybe create a Process Module (say, Manage Users) that only Superusers and Site Admins can view. Create a simple GUI >>> add foo, add bar, etc. Behind the scenes, you use the API to manage users, roles and permissions. Obviously, you restrict the roles, permissions, etc that the Site Admins can manage. It might seem like re-inventing the wheel, but you avoid the red lines/pitfalls you've mentioned (site admins seeing modules, etc). 

Just my 2p.

[ridgedale]

Thank you for your feedback @kongondo and insight.

I think at this stage the solution in the short-term is to only allow superusers to create/edit/remove roles and enable just the user-admin and user-admin-all permissions for sitemanagers to allow them to be able to assign the roles pre-defined by superusers. It will also keep the administration simple for future supersusers.

Thanks again to both of you for your assistance.