RPort
  • RPort Knowledge Base
  • đź‘€WHAT IS RPORT
    • Features and benefits of RPort
      • Full feature list
    • Screenshots
    • Release Notes
      • 1.1.2
      • 1.1.0
      • 1.0.5
      • 1.0.4
      • 1.0.3
      • 1.0.2
      • 1.0.1
  • 🚀GETTING STARTED
  • Install the RPort Server
    • Launch RPort in the cloud
    • Install on-premises
    • Install on Vultr
    • Install on Azure
    • Install on AWS EC2
    • Install on Digital Ocean
    • Install on Scaleway
    • Install on Google Compute
    • Install on Hetzner Cloud
    • Install RPort on any virgin cloud VM
    • Change the FQDN of the RPort server
    • Enable two factor authentication
      • Use push on mobile for 2FA
      • Use TOTP
  • Connecting Clients
  • Using the remote access
    • Creating tunnels
      • VNC via browser
      • VNC via VNC® Viewer from RealVNC®
      • RDP via Browser
    • Open SSH from the browser
    • Scp,sftp through a tunnel
  • Renaming and tagging of clients
  • Organize clients with groups
  • Activate the vault
  • Manage users and permissions
  • Video Courses
    • Installation Preparation
    • Install on Prem
    • Install on Cloud
    • Client installation
    • Remote Access
    • Network communication
  • 🗣️ NEED HELP?
    • Troubleshoot common problems
      • RPort Server not starting
      • Restart rport through a tunnel
      • Attributes file path not set
      • Recover lost passwords
      • Client is not connecting
      • Id is already in use
  • 🔦DIGGING DEEPER
    • Using the API
      • Create client credentials
    • RPort Technology Explained
      • RPort Security Model
    • Commands and Scripts
      • Executing commands
      • Executing scripts
      • Tacoscript
    • The scheduler
    • File copy and reception
    • Client Configuration Options
      • Supervision of OS updates
      • Script and command execution
    • Advanced client management
      • Install the RPort client manually
      • Uninstall the RPort client
    • Server Maintenance
      • Monitoring of RPortd
      • Updating RPort
      • Backing up the rport server
      • Renewing certificates
    • FAQ
      • How to use Cloudflare
    • High Availability
    • Install on macOS
Powered by GitBook
On this page
  • Create users and user groups
  • Assign clients to users
  • Assign permissions to user groups
  • Commands permissions
  • Tunnels permissions

Was this helpful?

Export as PDF

Manage users and permissions

PreviousActivate the vaultNextVideo Courses

Last updated 1 year ago

Was this helpful?

Create users and user groups

From the user administration, you can create new users and user groups. A new group is created by typing in the group name while creating or updating a user. A new user group comes without any permissions.

Assign clients to users

By default, a user who's not a member of the Administrators group can't do anything with rport. From the inventory, you can assign a host to none-admin users. This enables the users to execute any action on the host.

Starting with RPort version 0.9.0 assigning a client to a user will not give only minimal rights such as searching for clients and viewing their inventory. For any further action like creating tunnels or executing scripts, group permission is needed.

Assign permissions to user groups

RPort version 0.9.0 has introduced user group permissions. To allow certain actions, you must give permission to a user group.

If two or more groups are assigned to a user and groups have contra dictionary permissions, the authorization wins over the denial.

Example: If a user is a member of the groups Red and Blue, and Red allows script while Blue denies it, script will be allowed.

Keep in mind, that client permission is also needed. If a user is a member of a group with scripts unlocked, the user can execute scripts only on the assigned clients.

Starting with RPort version 1.0.0 extended user group permissions are enabled always, and they can't be turned off. That means, enabling tunnels or commands permissions for a user group provides optional configuration on the tunnels or command tab. Checking the tunnels or commands check box on the base tab will give unrestricted permissions to tunnels or commands because the default permissions for both are to allow everything.

Members of the Administrators group are granted full permission and can therefore perform any action on all clients.

Commands permissions

Having the command's checkbox enabled will enable command execution for the user group. By default, all commands are allowed. By enabling the toggle, fine-grained command permissions can be set up for a user group.

The Allow and Deny-List consists of regular expressions. Deny rules are checked first. If the deny rules are empty, any command that matches the allow rule will be allowed.

The below example means:

  1. The user group can execute the exact command sudo reboot.

  2. The group can restart any service.

  3. The group can execute any command that contains the keyword hostname.

  4. Executing systemctl ssh restart will be denied because the deny rule matches first.

The command rules are applied on the rport server. They prevent dispatching commands. Client-side rules for commands apply also and cannot be superseded by server-side rules. If a command is disallowed in the rport.conf client configuration file, this restriction cannot be overruled with the settings shown above.

Tunnels permissions

Having the tunnels checkbox enabled will enable tunnel creation. By default, all tunnels are allowed. Optionally, you can create advanced rules that apply to the tunnel creation. Navigate to the Tunnels tab and enable the toggle. Any value that you enter will become a mandatory setting for the user group when trying to create a tunnel.

Not filling one of the input fields means not restrictions apply. E.g., if you leave “Bind port on the rport server …” blank, the user group is allowed to create tunnels using any port.

With the settings shown in the below example, the user group is only allowed to create tunnels for RDP and SSH on the TCP ports 22 and 3389. Any other tunnel that's not matching these rules will be refused.

Assign a client to a user
Tunnels and commands require additional configuration on their own tabs.
Example command rules