All Users being made Super Admins

Hello

I'm trying to create a MODX site where i can have multiple users who are able to edit certain resources in a particular resource group depending on if they have permissions to that group.

I keep running into an issue however where when i create a new user they appear to be automatically being given Super Admin privlages regardless of what (i have tried giving them no role or user group) they are given. I'm not ticking the Sudo user box on the user and as you can understand this is becomming somewhat annoying now.

I mainly at the moment want to achieve a user group that is only able to view the Resources tree and not the elements tree (i'm not too fussed about the file tree but preferably hidden from them). I'd also like them not to be able to view or access the Security, Tools, Reports and System menu's.

Can anyone suggest what may be causing this?

Kind Regards
David

Resources won't be protected until they are put in a resource group, and connected to a particular user, have you done that?

Everything you describe is possible using ACLs ... [ed. note: thingstodo last edited this post 11 years, 5 months ago.]

Hi

At the moment i think my problem is more basic that than. When i create an user regardless of if i assign them to a user group or not they are being given full admin privileges in the manager. I'm not setting them as Sudo users and as i'm not giving them any user group i don't understand how they are being allowed to even login to the manager.

My understanding is that to setup a user with access to the Manager and particular resource groups i would need to

1) Create the user
2) Create the user group
3) Create a Roll
4) Assign the user group access to the manager context with the minimum roll and an access template (i was using the pre supplied content editor's)
5) Do similar for the resource groups
6) add the user to the group
7) flush the permissions

What i would expect to see (and what i am getting on a local install on my Laptop) is that the user would be able to view the Resource Tree + a few bits on the menu, but not the Elements tree or the file tree which is part of what i want to lock down. However they are getting full access to everything on my install on my server.

I'm more concerned at the moment that i can't restrict access to the resource tab on the server, i'm prepared to do a fresh install but i'd rather like to understand if i can what may have caused this incase its something i have done as i don't want to repeat my steps if i do reinstall.

Regards
David

That's how it should be, it starts off permissive, you have to

1. Put users in groups
2. Put resources in groups
3. Link user groups and resources groups together with ACLs to start restricting stuff.

Mike

Hi Mike

Ah, i did not realise it starts off permissive. I shall attempt this to put the users into groups again in the morning and see what happens, hopefully that will work.

Regards
David

Take a look at my ACL tutorial it will help you get a better understanding on how ACL's work.

FWIW - just because your new users have access to the entire manager at first, doesn't mean they are super admins.

Most commonly people complain that new admin users can't log in, which is often due to the role of "super user" and "administrator" user group not being applied to the user when created, which is default for new users.

Are you setting the new users access permissions to these roles and user groups when you create them or are they being applied automatically?

Hi All

I have followed the steps and i am still getting the same problem. I know i'm not following the steps incorrectly as on a local install on my laptop its working fine and i'm doing exactly the same thing.

Basically my issue is this i create a new user assign them no roles and not make them a member of any groups.

They can still log in as a full admin and have full permisisons.

I setup a group call editors, a roll editor with level of 99
I setup a user called doreen
I add Doreen to the group editors with a role of Editor
I set the group editors to have access to the mgr context with a minium roll of 99 and template of Content Editor

User can login and has the same permissions as a full admin user, which they should not have.

I'm not sure where i'm going wrong on this.

You'll need to take it a few steps further to restrict access to the manager. You're not doing anything wrong really, but it is normal for a manager user to have full permissions at first and even assigning the role of Super User and Administrator user group does not grant further permissions over users in other roles and user groups that do not have restrictive ACL's.

When you refer to the permissions your users have, there are a few ways to restrict access to the elements and files trees, and also what menus the users see.

The next step is to begin to restrict this user group's manager permissions with a context access for the web, but not based on the standard content editor's permissions. You'll start with the Administrator Access Policy, and then begin removing permissions.

See Bob's Guides for more information - http://bobsguides.com
An excerpt regarding restricting manager access:

Let's say you have a User Group called SubAdmins and you want the Users in that group to be able to use the Manager, but with restricted capabilities. Here are the steps you would take:

First, create a Role of SubAdmin with an authority level of 9.
Create the SubAdmins User Group and add the Users to it with a Role of SubAdmin.
Duplicate the standard Administrator Access Policy.
Edit the duplicate and change the name to SubAdmin.
On the Permissions tab, uncheck any Permissions you don't want your SubAdmins to have. Removing the access_permissions Permission will keep them from changing their own security level and those of other Users. Removing the element_tree and file_tree Permissions will prevent them from seeing those tabs in the left panel of the Manager. (Note: the element_tree and file_tree Permissions are only available in the SVN and upcoming RC versions of Revolution.)
Save the Policy
Update the SubAdmins User Group by going to Security | Access Controls | User Groups tab, right-clicking on the SubAdmins Group and selecting "Update User Group."
Go to the Context Access tab.
Add an ACL entry (by clicking on the "Add Context" button). Give it the following:
Context: mgr
Minimum Role: SubAdmin
Access Policy: SubAdmin
Go to Security | Flush Permissions

If you quit now and log in as one of the SubAdmin Users, the login would be successful but the Resource tree at the left would be empty because we haven't given our SubAdmin users access to the "web" context. We need to create another Context Access ACL entry with the following:
Context: web
Minimum Role: SubAdmin
Access Policy: SubAdmin

Now, our SubAdmins are real Manager users with restricted access to the Manager.

Note that we could have done this another way. We could have skipped creating the SubAdmin User Group and just added all our SubAdmin Users to the Administrator User Group with a Role of SubAdmin. Then, we'd have Updated the Administrator User Group and added the two Context Access ACL Entries listed above. The results would be the same and which way you do it is a matter of your overall Security strategy. If you will be restricting which Documents the SubAdmins can see, you'll probably want to create a separate User Group for them. If they will have access to all the Documents in the Manager, you might rather add them to the Administrator User Group.

I generally recommend *not* putting other admin users in the Administrator group. Giving them their own group makes things easier to understand and will give you more options for Form Customization.

Nothing you do in a Context Access ACL will affect which documents any user can see in the front end. That can only be done in a Resource Group Access ACL specifying a Context other than the "mgr" Context.

Sounds like you haven't set up any resource groups yet?

Try creating a resource group "AllDocs" putting all the resources in it, go to the admin user group and apply a resource access policy for the admins. That should then restrict who else can see those resources.