Category security: Obfuscate topic content from admin


(Ted Strauss) #1

I am operating Discourse as a closed intranet for an organization. I use groups and category permission settings to create private sections for different groups of users.

But the admin user is still able to access topics from any category, and users are bound to figure this out. The users do not want the forum admin to have access to their private discussions

I am looking for a way to restrict the admin’s access to a category. The ideal feature would be one that obfuscates the contents of a topic while leaving the topic history and stats intact, so the administrator can see the amount of activity, but not the contents.
This setting could be called ‘Hide topic contents from admin’ on the security tab of the edit category modal.

Has such a feature ever been considered?


(cpradio) #2

Why not limit the use of the admin account so it is only used when needing to perform some sort of maintenance (add a category, change a site setting), or upgrading, and have everyone use non-admin accounts for typical day-to-day interactions?

Most communities see the admin as someone who has access to everything, as they need to monitor the system as a whole. Limiting their access, greatly limits the effectiveness of an admin.


#3

Yes, create an additional Account for the Admin for his daily reading usage and only use the Admin account when there are administration tasks to do.


(Ted Strauss) #4

I agree with these approaches.

But from a UX perspective, in an organization of 100 people where everyone knows each other, if it’s understood that the admin (me) could read their private messages if he wanted to, it will affect how they use the forum. I would like to be able to show my users that even if I wanted to read their posts, I wouldn’t be able to. This would give them peace of mind to communicate about sensitive subjects.

Of course I appreciate it’s an unusual feature request, probably best handled as a plugin.


#5

As an Admin, you’ll always have access to everything… That’s part of the deal :smiley: even with an plugin, you could turn off the plugin and read whatever you like. Or just have a look in the database…

Somewhere around here I read the sentence that I fully agree to:

If you don’t trust the Admin, you shouldn’t use the system.


(Joshua Rosenfeld) #6

As @XieLong mentioned it isn’t possible to prevent an admin from seeing everything. If you are an admin (especially if you also have root server access) you can get around anything developed to prevent you from accessing data.

Does your company have a Digital Usage Policy? Most do. I’d check what that policy says about user rights when it comes to email/digital communications. Most that I’ve seen tend to emphasize that all communication systems are property of the company, not the user, and (quoting from the current policy at my job):

the Company reserves the right to examine, monitor and regulate e-mail and other electronic communications, directories, files and all other content, including Internet use, transmitted by or stored in its technology systems, whether onsite or offsite.

I’d suggest getting up front about this with your users. Be clear that as a forum admin, you can see everything, but also detail when you will use that privilege. Most employees recognize that IT has access to everything, but trust that IT will not abuse this power.


(Jay Pfaffman) #7

Do these people really think that you have time to read their freaking messages? You have a job, right? :slight_smile:

It’s common for admins to be able to read people’s emails, but that doesn’t keep people from using email. Hopefully you also have some admin backing up their computers, and can thus read all of their data. Like @XieLong said, “if you don’t trust the admin, you shouldn’t use the system” (or, perhaps, work for the company).

If you really want that, then the only solution would be to relinquish admin control to a 3rd party. You could have a set of operations that you accomplished through API calls (though you’d still be able to use API calls to access whatever “secret” information is there). But as has also been said, if you’ve got root access to the machine (or the backups) then you can read everything anyway.


(Andrew Waugh) #8

I think the other side of the coin is just as valid:

If someone is an admin, then by definition, you trust them.

Even if you can restrict category access, can that admin download a backup of the forum? If they can, then they can read whatever they want, and you won’t even have a log to cue you to what they are doing.


(Eli the Bearded) #9
-----BEGIN PGP MESSAGE-----
w77OngPn3z/01yEpVDmkfrpdXKYmVhylICPg1yvNYTyx6EW5LIOYt1yuxLc+bjKS
piw                                                          PGL
ZIc  Of course, since these are just text boxes, you could   rMj
zqO  use any 7-bit safe encrypted message format in the      mol
BnT  posts. Reading and replying would require some          SK/
zRk  technical know-how and some private key exchange.       AkO
rvK                                                          z8B
vZCwIO1me371DScIwI2D8/8EHzQMALxye7O/tpDW3BEU+NEqsHM2nXdebKl7mPk8
-----END PGP MESSAGE-----

(Steve Combs) #10

I think this is summed up by the Berkley Unix admin bumper sticker:

I read your email.