-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Group admin can delete users outside his group #3630
Comments
Please see owncloud/core#3362, which appears to be the same issue. |
@nickvergessen Is this fixed with #3141? |
I didn't touch deleting, but just removing people from groups. |
I think you can argue that both ways are desired behaviour. |
@nickvergessen I must disagree with the following statement:
The problem is that if deletion is allowed, the actions of subadmins are not confined to their areas of authority, hence it is not a matter of preference¹, it is a matter of deficient design. ¹ "Subadmins" with permission to delete users site-wide would be made admins of every group in the system, although in reality the problem may stem again from a suboptimal design. It appears to me that either there should be at least two kinds of administrative user: "site admin" and "group admin", or every user should be forced to belong to at least one group (at the moment it is possible for users to not belong to any groups). |
I opened this as a bug years ago owncloud/core#8244 but unfortunately nobody took it seriously. It's a bug that destroys data. It can't be intentional, otherwise the design is so way off that the designers should never, ever touch a SW project again. I gave up on this ever being resolved and stopped using group admins altogether. So did everybody else I know who hosts their own nextcloud/ownclud installation. |
Same here.
The fact that you are referring to those users as subadmins made me think that your mental model is possibly different than mine. For a subadmin, the current behaviour is (probably / arguably) OK-ish. However, in my mental model, note that I am referring to More than a config option, looks like what would be needed here is either clarifying the requirements and the naming (what does a "subadmin" / "group admin" do? and what is that role called?), or having two separate roles. In my experience, I have found “group admins”¹ more useful than “subadmins”², but maybe it just depends on the specific scenarios I am familiar with. ¹ defined as “a user with administrative privileges over the specific groups he/she is an admin for, including adding and removing users from that group, and configuring other group options.” ² “a user with administrative privileges, not necessarily confined to specific groups, at a level lower than a ‘super admin.’” |
Hi, I opened issue #7381 because I didn't notice this one right here. I'm really wondering why nothing happened here for such a long time. My problem here is - and I mentioned that in my issue: |
@MorrisJobke @nickvergessen @rullzer since I'm right in the middle of this, can we decide what behavior we want? Do we want to allow subadmins to delete users? Or should e leave it to admins only? |
The current use-case should not be broken. |
So we close this? |
@nickvergessen @skjnldsv Can you please elaborate what you mean by the current use-case should not be broken? As long as a group admins can delete users, which are a) group admin themselves or b) also belong to another group as normal users, group admins cannot be used. |
I really would like to know in which crazy scenario the developers would seriously consider using group admins as they are currently implemented. I mean you make me a group admin and you add yourself to that group. Then I delete your user and all your data is gone, even though you are also a group admin and belong to other groups. How do you like this? Does this make any sense? I'm truly puzzled by this kind of design, if you can call it that. I'm sorry, if I sound a bit negative, but this issue has been open for 4 years (see owncloud/core#8244) and we are no closer to solving this group admin disaster. |
@tessus we'll have a discussion about this today :) |
I know that this is a very hot topic and there are a handful great concepts that could make group admins a very useful feature. However, I am afraid the design and implementation will rather take a long time and as an interim workaround (see it as a pain relief) I'd suggest the following:
This should be fairly easy to accomplish and could be an interim solution while a real hierarchical solution is designed and implemented. |
@tessus Thanks, we'll take it in consideration! :) |
So we discussed a bit about this and there are multiple options how sub admins can work:
IMO @skjnldsv Do I have everything covered from our discussion yesterday? @nickvergessen @blizzz Opinions? |
I'd 3 to stay away from config options, however it would change the current behaviour… that can be only maintained with four. I can understand the issues the reporters have, therefore leaving it like it is, is likely not that great. So → 4. The thing with disable/enable is that it is having effects outside of the group. Yet another option? Tend to leave it instead, but it should be made clear what the action does effectively. |
I really do feel very strongly about this topic, thus I feel it necessary to comment on these items.
In this case a user can also be deleted, when this user is part of another group. This option will create the same mess and confusion that currently exist. Also, this option means basically, leave it as is.
This is a much better solution, but the action should not be called 'Delete', but rather
Also a good solution, but the hardest to implement. Especially since this option also has a few additional challenges which have not been put up for discussion and unless this option is carefully designed, it will result in major troubles at some point in the future: a few examples:
This can be confusing and potentially dangerous.
Disabling is almost as bad as deleting, if the user also belongs to another group, What right does the subadmin have to revoke my access to the system? The subadmin can remove me from the group, but disabling my user, just because I'm also part of his/her group is not ok. I really think that the term Whenever a user can delete someone else, this action must be thoroughly guarded. As mentioned so many times before, it cannot be part of the design that a user can delete another user just because that user is also part of the subadmin's group. I believe the only valid solution (out of the 4 options described above, unless these items are fleshed out and the |
I don't see this as a problem. It's basically the same as a group admin can change the quota to 0 and you are also quite limited then. That's what an group admin can do. Nothing we should be afraid of. Group admins should distribute the load of user management to more people and not restrict them, because they "have too much power". That's the whole point of group admins - they should be able to administrate. |
This is eactly my point. If you want to share the load, just create a few admins. A group admin should be able to administer a group, but not affect things that are out of their purview. Quota is another example. Why should group admins be allowed to reduce my quota, just because I'm part of their group. In that case I never want to be part of someone's group, if all of a sudden, I can be deleted or my quota be reduced, even though my user existed before this group was even created. This is what I'm talking about. A group admin must be well defined. It comes down to one simple rule which can be used as a starting point for all other decisions. But this rule is key and paramount to access control: A group admin must never be allowed to affect permissions/credentials/rights/access/settings out of their purview. |
Then this is the wrong concept for you. We will not remove all the permissions of group admins. That was never the idea of group admins.
Quota is still something a group admin should be able to change. Same as name or email address. |
This might very well be the case, but I believe I'm starting to understand what you and the developers want this feature to be and what I and other users think it is. I believe there's a fundamental misunderstanding, especially due to the fact that Nextcloud mixes concepts which are mutually exclusive. How the developers see this feature Allow users to be administered by a separate admin, in which the "group admin" can do everything an admin can do. Although I will call this an Please note that this is not the case in Nextcloud and this is the reason for the confusion. Nextcloud mistakes organizations for groups. How the rest of the world sees groups For people who come from system or database administration roles, a group is a way to grant access to several people at once (or remove/revoke) that access. A real life example A company is using Nextcloud groups for different projects. Users who work on a project are a member of the project's group. Conclusion I really would love to be able to use a whiteboard right about now.
Your concept (as Nextcloud developers see groups) will only work, if Therefore Nextcloud must understand set theory and relations. There must not be any intersection between sets and there must be a distinction between a group and an organization. e.g.: Any ' users or groups can ever intersect with non ' users and groups. |
Hi, I agree with tessus. Beside using NC privately myself, I'm also evaluating NC for my company; and group admins are one of a few things that still don't work for our business use cases. But neither does it work for my private installation.
It seems that use cases of some functions/ features in NC are getting idealized too much. In real life scenarios permissions need to be more granular because there are a lot users out there, who know how to work with Excel, Powerpoint and Sharepoint but are in general very insecure when using computers. Software need to be foolproof to a certain point to avoid stupid mistakes of their users. At least in my point of view. But even apart from that it feels totally wrong that a group admin can delete users that belong to another group as well and should be out of scope actually. |
Months later.... ...what has been the outcome of your internal discussions? As mentioned before, this topic has been an issue in ownCloud for years, now it seems it will be the same with Nextcloud. Do you guys at least understand after the comments in this issue how people outside the Nextcloud development team understand groups and how administration works? (This was not sarcasm, nor being facetious. This is an honest question.) |
I also expected another concept of group admins for a long time. Now I'm not using it anymore as I don't see a benefit but rather a risk in the current implementation. Still, I would appreciate a new "logical" concept of group administration. |
@TomTurnschuh almost everyone who is in IT and understands groups has an issue with Nextcloud's group admin implementation. Unfortunately this is one of the topics that have been ignored for years. I opened the first one 4 or 5 years ago with owncloud. there's always some sort of promise that the developers will review and look into it, but then the discussions are suspended and the problem ignored due to more important, new features. IMO they are afraid to admit that their design in this regard is utterly flawed and should have never been implemented in this way. some devs still think that their concept makes sense and therefore this will never be resolved or fixed. It is working as designed. It's unfortunate, but true. The only thing you can do is NOT using group admins (like the rest of the world). The developers have never proven or even stated that anyone in their right mind is actually using their group admin implementation. Yet again, I believe the only people who are using it are themselves. I have given up and don't even try to touch this topic anymore. Now and then I add a comment to vent a little, but that's it. |
@tessus you're the opposite of being constructive and I really hate that.
Oh no, we completely agree that there is something to be done here. Otherwise this topic would have been close for a long time. We have plenty of people using the groups admin the way it is currently implemented. That doesn't mean we don't need to change something anyway, but this is a blocker for us.
Please stop, unless you really have a real solution for this. |
@skjnldsv I had more than just one constructive comment. see:
They just got ignored as always. The only time one of you devs are responding is when you are angry about my comments. And yes, it is a community project. This also means you should be listening to the community instead of mocking anyone who thinks that there's room for improvement and points out the issues.
Seriously, you devs have been agreeing for several years now that something has to be done? You must be joking.
I do and I have already written down the solution. (see section Conclusion in 3. above)
I don't plan to just rant, but maybe you want to read my comments where I don't rant. It's not fair just looking at those and threaten to block me. |
You do realise that because no work have been done on this feature yet doesn't mean we disagree with what have been suggested, right? Whatever your opinion is on this, your messages are really out of place and hurtful. |
No I don't, but since this has been open for almost 5 years (this group admin discussion started when the project was still ownCloud) one could expect that it has the highest priority. Instead new features are implemented instead of fixing this one. No worries, I have unsubscribed from this thread. I won't be posting anymore. |
Evidence, please. |
This bug is a huge problem if you run a decentralized nextcloud instance with lot's of different groups that can and should govern itself. It's not an issue if you just plug Nextcloud into the corporate LDAP/university shibboleth... It probably won't happen because most users that need this can't pay for it but if you think about re-organising the permission system please design it in such a way that such decentralized usecases are possible. I'm writing this comment after mailing this issue with a warning to be careful in group-admin to the tenth person over the past year now... You are doing great work, but I think stuff like this should just work (tm) out of box or at least should be possible in the permission model. talk is cheap, I know but powerful decentralized administration would be a huge feature for Nextcloud. |
Without wanting to tread on poisoned ground, I still want to at least chime in with my 2cents: I too would and did not expect group admins to be able to register / remove users from the instance, but much rather manage the group. So adding / removing users to and from groups. Nothing more. And in our use case of a collaboration tool for a somewhat large volunteer organization and only a small team of (equally volunteer) support agents this would actually be how we'd love to employ this, but cannot due to the current high permission set of group admins. Maybe this is what the circles app is supposed to be for in the future? Although without the ability to create your own circles unsupervised. So my question: Is the concept of a single checkbox (defaults to false), which removes the group admin's permission to register / remove users to / from the instance completely out of the question? Or would it be a feature which it would be worthwhile to work on or at least come up with a plan? |
Good morning, being the systems administrator of an educational facility we use Nextcloud for our file sharing needs, avoiding sharepoint like the devil. :) Aside from the usual smaller problems, not having what was called Group MANAGERS, meaning admins that can add and remove users from the group they are given manager rights is indeed quite a problem. We are using circles by now, but not all apps can use them (eg. Talk), and it seems the development of the circles has somewhat faded away. Reading this thread and the time that passed since this issue was brought up seems to leave only the way of programming something using the OCC API which can create groups and add / remove users from them - without letting the group admins in the main GUI delete people from the whole system. Either a separate php script with EXECs will be needed - or an App that adds the functionality to the main system. We will see into that. In total NC is a great system that we use on a very large scale, also considerung buying a support contract to support what we use (we have an OpenSource policy here), but why there is not, as mentioned, a new layer that allows groups to be maintained by such group managers and having a separate sub admin level as it is by now is a bit beyond my understanding. With regards, teqq.at |
Good Morning Everyone, I just stumbled about this issue. For me it is a big problem that my group admins can completely delete users and all their data even if they are members in other groups as well. Let's say Paul is member of GroupA and GroupB. In Group A he is not needed anymore so groupadminA thinks it is fine to delete Paul. But groupadminA doesn't know that Paul is the owner of a calendar and some important files that he shares with group B. So groupadminA can interfere with Group B's work without even knowing. Even if Paul is groupadmin for GroupB groupadminA can delete him. I consider this very dangerous and in no case desired behaviour so I would be very glad if there could you developers could think this over and keep this on the roadmap. Thanks a lot, Richie |
Good morning, it IS dangerous. We are an educational institution with 500 employees and over 4000 students, and you can imagine my surprise when students were deleted not only from groups by our tutors but from the complete system. Took quite some time to find out what happened there and almost gave our SharePoint-Advocates a good edge... We are currently using Circles, with the drawback that we have no OCC hook to automatically add students to their circles and giving them file share access to the departments and tutors shares. The latter are done by OCC semi-manually. LDAP is in reconstruction, thou - but that still does not allow self-management by the tutors for their very own groups. Have a nice day, teqq |
In the meanwhile, I'm still waiting for evidence from @skjnldsv that
As I understand, that sole assertion is the entire reason why nothing has been done in this matter, but not a shred of evidence has been provided that the assertion is indeed true (let alone germane), as opposed to the many statements from actual, everyday users presented in this discussion. |
That is not how I'm used to collaborate with people. Please keep it civil or we'll lock this thread. Thanks for everyone that replied with constructive comments! ✌️ John |
Hi, Can I ask everyone to stay friendly please? Consider everyone here a volunteer, including Nextcloud GmbH employees - we are only employed to work for our customers, not everyone on the internet. If a customer had an issue with this feature, we would of course have resolved it. As that is not the case, we have to focus our efforts on the countless other things to work on. Also, while I realize it is work and takes time for you, please dont' consider adding your opinions or needs a contribution. We have plenty of opinions and feature ideas that we are working on, so generally we only implement what fits our strategic plans or what customers ask for. As this turned out to be expected and intended behavior, this issue is a feature request and thus low priority. Anyhow, on to the subject. I think that the use case many of you have, as described by @teqqat is indeed covered by circles. I know circles doesn't work in all apps, we've got this on our roadmap to improve and integrate deeper. Nextcloud 16 will already make some steps in that direction. Another part will be the guest app, which is ready for 16 as well. Renaming the 'group admin' to 'sub admin' will probably take care of most of the confusion here and we'll probably do that. For the rest - well, if you have needs that are not covered (and I'm sure some of you do), you have no less than five options:
Please note that just ranting isn't one of the options that gets either you or us any closer to a solution. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
STOP! |
As this sounds like a nice feature, currently there are no plans to implement such a feature. Thus I will close this ticket for now. This does not mean we don't want this feature, but it is simply not on our roadmap for the near future. If somebody wants to implement this feature nevertheless we are happy to assist and help out. If you wish to have this feature implemented by the Nextcloud GmbH there is the option for consulting work on top of your Nextcloud Enterprise subscription to get your features implemented. |
Steps to reproduce
Management
,Engineering
Ana
Ana
a member ofEngineering
Ana
a group admin forEngineering
(do not make her a super admin!)Bertrand
Bertrand
a member ofManagement
andEngineering
Ana
Ana
, delete userBertrand
Expected behaviour
Either:
Ana
should not have the option to delete userBertrand
, orAna
's "deletion" action should only removeBertrand
from the groupsAna
is an admin of, instead of deleting the user.Actual behaviour
Ana
deletesBertrand
(without so much as a confirmation message!)Server configuration
Operating system: openSUSE Leap 42.1 (x86_64)
Web server: nginx 1.11.9-69.1
Database: sqlite
PHP version: PHP 5.6.30
Nextcloud version: 11.0.1.2
Updated from an older Nextcloud/ownCloud or fresh install: updated from 10 or so
Where did you install Nextcloud from: Nextcloud website
Signing status:
Signing status
List of activated apps:
App list
The content of config/config.php:
Config report
Are you using external storage, if yes which one: No
Are you using encryption: No
Are you using an external user-backend, if yes which one: None
Client configuration
Browser:
Operating system:
Logs
Web server error log
Web server error log
Nextcloud log (data/nextcloud.log)
Nextcloud log
Browser log
Browser log
The text was updated successfully, but these errors were encountered: