topic Re: (New) administrator role, without ability to change password in Alfresco Archive

(New) administrator role, without ability to change password

ebogaard — Wed, 05 May 2010 20:48:48 GMT

I'd like to give some other people almost full administrator rights in Alfresc (so not just management rights in a site), so they can manage Alfresco / Share as well.For security reasons, I'd lik to deny them the ability to change the password of other administrators, especially "admin".The question

Re: (New) administrator role, without ability to change password

savic_prvoslav — Fri, 07 May 2010 12:05:47 GMT

http://forums.alfresco.com/en/viewtopic.php?f=9&t=26698

check this out, it should help .

Re: (New) administrator role, without ability to change password

ebogaard — Sat, 08 May 2010 17:33:46 GMT

The thread Savic points to gives some interesting information, but I'm not sure if that's what I need.
The main thing is that I can give another user the rights to enter the admin console and manage the users and groups, but nog be able to change user's passwords (at least not other admin's passwords)

Is this possible, and how?

Re: (New) administrator role, without ability to change password

savic_prvoslav — Sun, 09 May 2010 14:23:14 GMT

Now it is not, but you could use code in that post that I have put there and extend it.
also you could change change user pass dialog for this check isAdmin() and work it from there. really easy code.

Re: (New) administrator role, without ability to change password

ebogaard — Mon, 10 May 2010 20:35:07 GMT

This last option sounds interesting. Does this mean that the user can't change passwords anymore?
Is so, could you give some pointers about the code that is needed?

Re: (New) administrator role, without ability to change password

savic_prvoslav — Mon, 10 May 2010 21:05:32 GMT

You can edit

/jsp/user/users.jsp
<a:actionLink value="#{msg.change_password}" image="/images/icons/change_password.gif" showLink="false" action="dialog:changePassword" actionListener="#{DialogManager.bean.setupUserAction}">

to

<a:actionLink value="#{msg.change_password}" image="/images/icons/change_password.gif" showLink="false" action="dialog:changePassword" actionListener="#{DialogManager.bean.setupUserAction}" rendered="#{NavigationBean.currentUser.admin}">

explanation:
user has right to access user dialog, but would not have right to change pass because he would not be able to see action for this because rendered part.

edit:
you still need to use code to give access to admin console. I can not find time to print you some code, I hope that I will find time for this tomorrow, I wold really like to do this for you, it is fun feature.

intruction:
create filter witch extends "Admin Authentication Filter" witch can be found in web.xml.

before calling super.filter use the code witch I have given . in that code you check if user is in "admin group" and has right to do this( see admin console) .

Re: (New) administrator role, without ability to change password

ebogaard — Tue, 11 May 2010 20:02:31 GMT

This looks promising and is a good way in the right direction.
One remark: the users work in Share, nog Alfresco Explorer. So I need to find the right files and code for Share.

To further explain what I'd like the situation to be:
- I'm the only "super" admin.
- There are some other admins who can work with users groups, but can't change other admin's (and normal users's, if necessary) passwords.
- There are a bunch of normal users with normal permissions.

I think there are two options to get to this situation:
1. Make it so that "normal" administrators can't change other user's passwords, but have all the other permissions.
2. Let users access the administrator console, so they can work with user groups. Problem with thius might be that normal users can put themselves in the admin usergroup, so they can get full permissions.

I think option 1 is the better/safer solution, if combined with diabling access to Alfresco explorer for everyone but the super admin. In that case t is possible to disable the change other user's passwords in Share alltogether. That way only the super admin can change passwords in Alfresco Explorer

Does this clarify things?
Up till now, you've been a great help.

Re: (New) administrator role, without ability to change password

savic_prvoslav — Tue, 11 May 2010 23:07:59 GMT

I am working only with Alfresco Explorer not share, anything with Alfresco Explorer I now know to change and edit to fit my needs, share not so well ( you should see what I have done for my company in the past time )
Solution witch I have given on other forum topic is really good and covers most( you would probably need some coding when you reach bottom line) of needed code for Alfresco Explorer.
–
if you would use this solution you would most likely have all this in Alfresco Explorer but not in share, everything would be same in it .

–
if Alfresco Explorer is exceptable you then use my solution and extend it until you have nice solution, if you need help ask for it. I'll be happy to help.

for share I did some changes for it but it is complicated a bit …

Re: (New) administrator role, without ability to change password

savic_prvoslav — Tue, 11 May 2010 23:34:00 GMT

http://forums.alfresco.com/en/viewtopic.php?f=9&t=26698

relevant code is hire.

Re: (New) administrator role, without ability to change password

ebogaard — Thu, 13 May 2010 15:06:31 GMT

Thanks for all the help.

I ended up editing "tomcat/webapps/share/WEB-INF/classes/alfresco/site-webscripts/org/alfresco/components/console/users.get.html.ftl"
In this file I set some classes to "hidden", so the "New Password" option isn't available to users (or me, but I can still use Alfresco Explorer).

Now I have to find a way to prevent users deleting the "admin"-user => Someone any idea?