A web-based control panel for PowerDNS

Index

User management

Improvements

The current user management setup is fairly new. Because of this, some of the details may not be working as expected. If you have ideas on improving the new user management setup, be sure to discuss them on the mailinglist. These permission templates were introduced in version 2.0.0.

Basics of user management in Poweradmin

Basically, it allows you to have two levels of users. You have "ueberusers", which are users that can do anything within the interface and you have users with limited rights.

How much each of the users is allowed to do, can be managed using the permission templates. These templates are build up from a set of permissions. Each of the permissions allows the user one ore more things. One permission allows the user to see the contents of zones the user owns. Another permission allows the user to edit zones he doesn't own. And even another permission allows the users to create new supermasters. By adding or removing those permissions to a template and assigning a template to a user, you can control a users rights.

The permission "user_is_ueberuser" overrules any other permission the user may or may not have been assigned. It gives the user full access to anything that otherwise would require the assignment of some kind of permission. This is normally the kind of permission that an admistrator has - and no one else.

"Ownership" is just a phrase to denote zones the user is marked "owner" for. It does not imply any priviliges for these zones. These privileges are set using one or more of the permissions added to the template the user has been assigned. A user can be owner for one or more zones, but if the user has not been assigned any "view" permissions for "own" zones, these zones won't show up on the users screen. Not that it would make a lot of sense, of course.

Why can't users be assigned partial (edit) access to zones? Poweradmin takes it that if you have edit permissions for a zone, you would have enough rights to break the zone entirely. Even if you would have partial access (which is not possible), such a user would be able create severe damage. Because of this Poweradmin presumes that if a user can be trusted to edit a zone, the user can be trusted to have delete permissions as well.

Pitfalls

Be aware that adding the "user_edit_templ_perm", "templ_perm_edit" or "user_add_new" permission to a template will give any user that has this template assigned indirectly "user_is_ueberuser" right. A user that as been assigned one of these three permissions is able to edit his or her own templates or to create a new user with godlike permissions.

Anyone with root shell access to the server running the Poweradmin web interface or the PowerDNS database server, has "ueberuser" rights.