Authorization, Roles and Groups - munkireport/munkireport-php GitHub Wiki
MunkiReport uses Role Based authorization model, which means that users can do things based on the role they have. Any user can have only one role. At the moment there are 5 roles defined:
- Admin
- Manager
- Archiver
- User
- Nobody
No Business Units
When Business Units are not configured, the following authorizations apply. A user that does not have an admin-role or manager-role gets the role of user.
| Role | View | Delete Machine | Archive Machine |
|---|---|---|---|
| admin | All machines | Yes | Yes |
| manager | All machines | Yes | Yes |
| archiver | All machines | No | Yes |
| user | All machines | No | No |
Business Units
When Business Units are enabled, the roles change a little bit. A user that does not have an admin role and is not found an a business unit gets the role of nobody.
| Role | View | Delete Machine | Archive Machine | Edit Business Units |
|---|---|---|---|---|
| admin | All machines | Yes | Yes | Yes |
| manager | BU only | BU only | Yes | No |
| archiver | BU only | No | Yes | No |
| user | BU only | No | No | No |
| nobody | No machines | No | No | No |
User/manager can view only first assigned Business Unit. Currently it is not possible to view multiple BUs with one unique user/manager.
Add role to a user
By default, all users have the admin role. To override this setting, create the following in .env:
ROLES_ADMIN="your_username"
This will give 'your_username' the role of admin. You can also add groups to a role array:
ROLES_ADMIN="your_username, @admin_group"
This will give all users in the group 'admin_group' the role of admin. Groups can be local groups, LDAP groups or AD groups, make sure you prefix the groupname with @.
Local admin group
To make a local admin group, add the following to .env:
GROUPS_ADMIN_USERS=your_username, another username
To reference this group in the roles array, prefix the name with @. You can also use this group in Business Units. At the moment, it is not possible to nest groups
View session variables
If you want to see the actual authorization settings, and the reason a user got a certain role, you can view the current settings here:
http://example.com/index.php?/auth/set_session_props/1
Authorizations (topic for developers)
There are two authorizations enabled:
- global - view everything
- delete_machine - be able to delete a machine from the database
By default, users with the admin role have the 'global' and the 'delete_machine' authorization. users with the manager role only have the 'delete_machine' authorization.
You can override the authorizations in .env, but don't do that unless you know what you are doing!
Developers can use the $conf['authorization'] array to create new authorizations based on role.