cancel
Showing results for 
Search instead for 
Did you mean: 

All users have 'Admin Console'

bdgregg
Champ in-the-making
Champ in-the-making
We've just installed Alfresco Comunity Edition 3.2 and all seems to be working well, and if the system performs well we may move to the supported version.

We are very concerned about security within the application.  We've configured our authentication to use alfrescoNTLM and passthru with no ldap sync.  This seems to be working very well as all users can authenticate and get on to the system. 

However, ALL users have the "Admin Console" link at the top when they login to Alfresco Share.  I as the admin have logged in and cleared everyone out of the "ALFRESCO_ADMINISTRATORS" group except for 'admin' to ensure no one but admin is an admin.  All users still have the "Admin Console" link showing and are able to perform admin functions including adding users to the "ALFRESCO_ADMINISTRATORS" group.  Having all users as an Administrator is of course a bad thing, but I am unsure where this is coming from.

As for security, if and when the above is fixed and all users are not granted admin, are the permissions set upon created sites enforced between the web client, CIFS, webdav, etc.  such that persons not included in a private site are not able to upload/download/see files in the windows file share or webdav?  We wish to create a few sites that are very restricted and we want to ensure NO unauthorized users are able to access information within these sites.  Please tell me this is true and works.

Thanks all in advance.
4 REPLIES 4

mikeh
Star Contributor
Star Contributor
For your "admin" issue - do users seem to have admin access when using the Explorer (JSF) client at /alfresco ? It sounds like something to do with your underlying configuration rather than an Share UI bug, as the users do actually seem able to perform admin-only operations. Maybe post your config (redact any IPs, server names, etc.)

As to your second question: yes, the permissions are enforced on the Repository, so this includes all input paths.

Thanks,
Mike

bdgregg
Champ in-the-making
Champ in-the-making
Mike,

Seems all users can post in any "private" site.

Here's the alfresco-global.properties…

###############################
## Common Alfresco Properties #
###############################

#
# Sample custom content and index data location
#————-
dir.root=./alf_data

#
# Sample database connection properties
#————-
db.name=alfresco
db.username=alfresco
db.password=dontbelieveit
db.host=localhost
db.port=3306

#
# External locations
#————-
ooo.exe=/usr/bin/soffice
#img.root=./ImageMagick
swf.exe=/usr/local/bin/pdf2swf
img.root=/usr/local
img.exe=/usr/local/bin/convert

#
# MySQL connection
#————-
db.driver=org.gjt.mm.mysql.Driver
db.url=jdbc:mysql://${db.host}:${db.port}/${db.name}
hibernate.dialect=org.hibernate.dialect.MySQLInnoDBDialect

#
# Index Recovery Mode
#————-
#index.recovery.mode=Auto
index.recovery.mode=FULL

#
# Outbound Email Configuration
#————-
mail.host=smtp.server.univ.edu
mail.port=25
#mail.username=anonymous
#mail.password=
mail.encoding=UTF-8
mail.from.default=alfresco@alfresco.server.univ.edu
mail.smtp.auth=false

#
# Alfresco Email Service and Email Server
#————-

# Enable/Disable the inbound email service.  The service could be used by processes other than
# the Email Server (e.g. direct RMI access) so this flag is independent of the Email Service.
#————-
#email.inbound.enabled=true

# Email Server properties
#————-
#email.server.enabled=true
#email.server.port=25
#email.server.domain=alfresco.com
#email.inbound.unknownUser=anonymous

# A comma separated list of email REGEX patterns of allowed senders.
# If there are any values in the list then all sender email addresses
# must match.  For example:
#   .*\@alfresco\.com, .*\@alfresco\.org
# Allow anyone:
#————-
#email.server.allowed.senders=.*

#
# The default authentication chain
# To configure external authentication subsystems see:
# http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems
#————-
#authentication.chain=alfrescoNtlm1:alfrescoNtlm
authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1:passthru
ntlm.authentication.sso.enabled=false
alfresco.authentication.authenticateCIFS=false
passthru.authentication.authenticateCIFS=true

#
# IMAP
#————-
imap.server.enabled=true
imap.server.port=143
imap.server.host=alfresco.server.univ.edu

#Sharepoint Protocol Support
vti.server.port=7070
vti.alfresco.depoloyment.context=/alfresco
vti.alfresco.alfresoHostWithPort=http://alfresco.server.univ.edu:8080
vti.share.shareHostWithPort=http://alfresco.server.univ.edu:8080
#

#CIFS Server
cifs.enabled=true
cifs.serverName=${localname}
cifs.ulrfile.prefix=http://${localname}:8080/alfresco/
cifs.ipv6.enabled=false
cifs.WINS.primary=10.0.185.225
cifs.WINS.secondary=10.0.57.225
#

Thanks for looking at this.  MUCH appreciated.

mikeh
Star Contributor
Star Contributor
I'll ask our resident subsystem expert to have a quick look. In the meantime, you could try specifically setting passthru.authentication.defaultAdministratorUserNames to a specific account as described here.

Thanks,
Mike

bdgregg
Champ in-the-making
Champ in-the-making
Mike,

Never mind - I found my error. 
When setting up the passthru-authentication-context.properties file, I included the test account in the defaultAdministratorUserNames field (and forgot I did so).

The "Admin Console" link went away when I had someone else try to login.

Sorry about this.

Thanks for making me double and tripple check my config.  At least I know it wasn't a bug.   Smiley Very Happy

Thanks again.