Manage users and permissions
Last updated
Last updated
From the user administration, you can create new users and user groups. A new group is created by typing in the group name while creating or updating a user. A new user group comes without any permissions.
By default, a user who's not a member of the Administrators group can't do anything with rport. From the inventory, you can assign a host to none-admin users. This enables the users to execute any action on the host.
Starting with RPort version 0.9.0 assigning a client to a user will not give only minimal rights such as searching for clients and viewing their inventory. For any further action like creating tunnels or executing scripts, group permission is needed.
RPort version 0.9.0 has introduced user group permissions. To allow certain actions, you must give permission to a user group.
If two or more groups are assigned to a user and groups have contra dictionary permissions, the authorization wins over the denial.
Example: If a user is a member of the groups Red and Blue, and Red allows script while Blue denies it, script will be allowed.
Keep in mind, that client permission is also needed. If a user is a member of a group with scripts unlocked, the user can execute scripts only on the assigned clients.
Starting with RPort version 1.0.0 extended user group permissions are enabled always, and they can't be turned off. That means, enabling tunnels or commands permissions for a user group provides optional configuration on the tunnels or command tab. Checking the tunnels or commands check box on the base tab will give unrestricted permissions to tunnels or commands because the default permissions for both are to allow everything.
Members of the Administrators group are granted full permission and can therefore perform any action on all clients.
Having the command's checkbox enabled will enable command execution for the user group. By default, all commands are allowed. By enabling the toggle, fine-grained command permissions can be set up for a user group.
The Allow and Deny-List consists of regular expressions. Deny rules are checked first. If the deny rules are empty, any command that matches the allow rule will be allowed.
The below example means:
The user group can execute the exact command sudo reboot
.
The group can restart any service.
The group can execute any command that contains the keyword hostname
.
Executing systemctl ssh restart
will be denied because the deny rule matches first.
The command rules are applied on the rport server. They prevent dispatching commands. Client-side rules for commands apply also and cannot be superseded by server-side rules. If a command is disallowed in the rport.conf
client configuration file, this restriction cannot be overruled with the settings shown above.
Having the tunnels checkbox enabled will enable tunnel creation. By default, all tunnels are allowed. Optionally, you can create advanced rules that apply to the tunnel creation. Navigate to the Tunnels
tab and enable the toggle. Any value that you enter will become a mandatory setting for the user group when trying to create a tunnel.
Not filling one of the input fields means not restrictions apply. E.g., if you leave “Bind port on the rport server …” blank, the user group is allowed to create tunnels using any port.
With the settings shown in the below example, the user group is only allowed to create tunnels for RDP and SSH on the TCP ports 22 and 3389. Any other tunnel that's not matching these rules will be refused.