How to define custom permissions for staff, admins, moderators

Hello!

I want to change user groups permissions, for example:
Admin Group - all permissions
Co Admin - can do anything but cannot open some sections on admin pane

How to do that? Thanks!

That’s not possible by default since admins have unrestricted access to all the sections of the forum. Depending on what kind of permissions you want to revoke, maybe demoting them to moderator can be helpful?

Moderator cannot create a categories and i want that

Mods can create categories if you enable the moderators_create_categories settings in your discourse admin.

Where i find that? I looked through all the categories in the admin panel and did not see anything that I could assign to moderators.
*Is there something like moderators_create_themes?

Go to admin > Settings
Then search for the keyword moderators_create_categories

Is your Discourse up to date?

What you are asking is, "Is there something like ‘moderators can crash the whole site by making a broken theme?’ ". I’m pretty sure that the answer is going to be “No.”

You could install a remote theme hosted in github that a moderator could change, but an admin would still need to pull in the changes.

You do not know who will tinker with the themes, how can you make that statement?
I asked this question because there are no groups with custom rules like it said above.

My point is that if you trust someone enough to change themes then you can make them an admin.

If you would like to allow non-admins to modify themes or otherwise change what a moderator can do you’ll need a custom plugin.

Not in my current scenario. We have UX and Design teams and they are only responsible for that area, so only access to the themes would be necessary.

We have this same use case as well. We have outside contractors (web designers) that we want to grant access to this. An full admin would have access to everything, including private management discussions, which is something not desirable.

It would be nice to have a workflow that allows web designers submit or try changes without full admin access.

Hi @Joaquin_Menchacha

Thank you for your post and reminder on this topic.

We also wish (plan) to refine some of the admin controls in the future.

For example, we are interested in a plugin (someday) which will be configured with variables in the yml container file and will restrict certain admin actions (like downloading the full backup of the site) to only certain users (userids).

This plugin idea is “on my plate” and when I get a chance, I’ll look into it more. So far, I have not even taken the first step of looking at the code and examining the feasibility of this idea.

Has any one found a solution here?

I have same use case where I want to grant theme access and house ads access to some of my staff members.

The easy solution is to trust people and make them an admin or moderator. It you don’t trust them with full control, but want them to have additional access then you’ll need a plugin.

It’s not that I don’t trust them. But when it comes to our threat model, it creates an additional attack surface. What if the specific user gets compromised due to lack of security on his side? A lot of variables at play.

We will explore plugin option then.

Agreed Discourse needs extra controls for customization. Like what others have mentioned with hiring outside contractors to use higher level functions while still protecting members information.

Group moderation is decent but sometimes you might want some higher functions of a full Mod but not all of the functions.

A plugin indeed might be helpful. But like Merge User Plugin was merged into core; so should stronger moderator/admin customized features to allow more staff types.

I agree with others here that the access control model would be improved with an extra layer of RBAC (roles-based access control) granularity that specifies what staff and admin can access (for certain functions, not all).

For example, a site might want to add more admins; but they prefer to grant smaller set of admin RBAC privileges; for example, grant or not grant the ability to download the entire site backup or to access certain staff action log files. In addition, a site might want to insure that some staff do not have the RBAC permissions to view staff actions of admins or developers, or just certain actions which are considered more “private”.

All cybersecurity experts are taught (and know by direct experience) that the largest threat to any organization is the “disgruntled insider” and not outside hackers or attackers. There is no doubt about this basic IT security risk, and it is well established knowledge for trained or seasoned hands-on IT security professionals. Therefore, dismissing the insider threat with “just trust your admin” or “you must trust your staff” is not a technical solution, for IT professionals. Even the most trustworthy staff, loyal for many years, can start experiencing life problems which can cause them to shift to be a “disgruntled staff member”. In addition, it is the most privileged staff which make the most errors; and we all know that well-intended staff / admin mistakes generally cause more downtime than any hacker, generally speaking.

A while back, I considered altering Discourse class Guardian for our site but after further examination of that class it was not obvious to me there was a “quick fix” which would allow me to write a minimal amount of monkey patch code to enhance the RBAC for Discourse. Being lazy by nature and preferring to create simple solutions whenever possible, I put the idea on the back burner and moved on to other “well paid client” projects.

Subsequently, I considered going a level down in the code and transferring some of the staff and admin functions to developer, but this approach required too many monkey patches, which I thought was not a good idea at the time. After, all if we can accomplish something with one monkey patch versus ten, obviously one patch is better.

I have not yet had the time or a “burning requirement” to look deeper into this part of Discourse core to determine if there is an “easy” RBAC plugin enhancement I can write via a “relatively simple” plugin.

Honestly, I think the problem is that I am not yet a super rubyist and for the most part, consider myself more of a “wannabe” ruby coder, LOL. I am confident there is, more-than-likely, a simple RBAC plugin solution out there, but personally, I have not found it yet and perhaps a much more experienced Ruby person can quickly look at the code and see how to approach this.

My idea would be to have some new boolean site settings which would either limit or grant specific RBAC permissions based on role, and to then add those booleans to the appropriate part of the code via a monkey patch in plugin. However, I as mentioned, I would prefer to patch one file, not “many” so it is clean and simple, easy to maintain.

When I have time, I will look into this RBAC enhancement more deeper since it is interesting, for sure.

Hi @jrgong

This is not difficult to do via a plugin, as you probably know well.

Basically, you could create a list of staff (by email, username, etc) as a global setting, similar to how Discourse defines developers by email address.

Then, you could use that GlobalSettting in some patches to permit the two use cases are you are interested in.

The first of your use cases: customize themes as staff, is relatively straight forward to core monkey patch, I think.

The second use case of yours, with not much work, you could fork this plugin and redesign the route access constraint in this plugin (and any other required changes):

Because the constraint for the ads plugin is built into the plugin, it’s a good idea to actually change that code to permit your “permitted” staff to access the parts of that plugin you wish to permit, based on your own RBAC.

In other words, both of the requirements you want are both doable, if you are willing to write the code; or of course you can ask one of the skillful Discourse plugin dev pros to help you in marketplace

Thx @neounix I really appreciate the input! I will get a dev to get it done

edit: Is there no other way but to fork the plugin?
And how about access to babble chat plugin? That would also require a fork?

We are taking about software.

There are always many ways to do things.

I provided you my recommendations.