Overview
WebADM includes the concept of delegated administration and distinguishes between Super Administrators and Other Administrators.
-
Super Administrators: These are LDAP administrators (e.g., AD Domain Admin users) listed in the
super_admins
section ofconf/webadm.conf
. They have unlimited access to all WebADM features. -
Other Administrators: These are delegated administrators with specific permissions defined through WebADM AdminRole objects. An Other Administrator is any LDAP user who is a member of one or more AdminRoles. AdminRoles precisely define the features and administrative operations allowed for these users.
Important Points:
-
LDAP Access Rights: Access rights for both Super Administrators and Other Administrators must be configured at the LDAP server level using dedicated LDAP ACLs. WebADM enforces access control over its management interfaces, but it cannot enforce security controls at the LDAP API level. This means restricting user operations and features via AdminRole configurations does not prevent an administrator from performing the same operations using another LDAP client software.
-
AdminRole Storage: All AdminRoles must be stored in the same container, as specified in the WebADM main configuration file (
conf/webadm.conf
), to be read by WebADM at session startup. -
AdminRole Application Scope: An AdminRole can be applied to a single administrator account or a group of administrators. However, nested groups are not supported. An AdminRole can only be applied to one LDAP group. To include users from different groups, create a dedicated group for the AdminRole and add the users to that group.
Create Admin Role object
From the WebADM Administrator Portal, click on Admin
tab and on Administrator Roles
box. On the next page, click on Add AdminRole
button to create the AdminRole object.
Provide a name for your Administrator role to easily identify its usage and optionaly provide a description:
Click Proceed
and Create
object buttons.
The Admin Role configuration object is created, and you are now entering the Administrator Role configurator.
Configure the Admin Role
Found below, the settings available in an administrator role and its description.
-
Assigned User or Group
: Selected user or group of LDAP administrators which is assigned this role template. All the restrictions below do not apply for super administrators. -
Allowed Addresses
: Comma-separated list of IP addresses with netmasks the role must be used from. -
Proxy User Admin
: Use the WebADM proxy user for any LDAP operations after login. By default, the logged-in user is used for accessing and writing LDAP data. Ensure the permissions of the proxy_user are configured accordingly. -
Allowed Interfaces
: Controls which administration interface is available for the selected administrator(s).Admin
enables access to WebADM Admin Portal.Manager
provides access to the JSON-RPC management interface. By default, access to the Manager interface is denied.
-
Created Objects
: Contains a list of object classes defining which LDAP object types can be created, imported and deleted. Any LDAP object containing at least one of these allowed object classes are authorized for creation, import and deletion.
Allowed Configurations
: Defined the list of configuration objects which can be managed under the ‘Admin’ menu. Note that graphical access (i.e. browsing capability) to the WebADM configuration containers is required for managing WebADM configurations. This setting enables restrictions to the configuration objects when accessed from WebADM but does not prevent an administrator from editing the corresponding LDAP objects from another LDAP interface.
Allowed Databases
: Defines which SQL database tables (logs, localized message, inventory, SSL certificates...) are accessible. The selected database tables are accessible in read-only by default.
Managed Databases
: Defines which SQL database tables (log, localized message and inventory) are accessible in write or edition mode. For logs, write access provides deletion of selected entries and purge of old events. For Message and Inventory, write access provides import and management of entries.
Allowed Log Files: Defines which WebADM log files are accessible under the Database menu.
Allowed Log Files
: Manage which log file(s) will be accessible by other administrators.
Management Rights
: Define the rights that other administrators will have regarding LDAP object manipulation, creation, and other operations.
Application Rights
: Manage the rights given to other administrators regarding WebADM applications and service configurations.
Below an example of an Administrator role:
Click the Apply
button once your role is configured. You can then try to access the configured interface with an account defined in this administrator role. Available actions after login must match what has been defined in your administrator role.