32.10. Module Access Control

As Chapter 52 explains, the Webmin Users module can be used to limit what a user or group can do with a particular module. For this module, you can control exactly which hosts, groups, subnets, and shared networks a user can edit. This can be useful for granting a subadministrator the right to set options for only a few hosts within your server configuration, while preventing him from changing subnets and other hosts.

Once a user has been given access to the module, limit him to editing only certain hosts by following these steps:

1.
In the Webmin Users module, click on DHCP Server next to the name of the user. This will bring up the module access control form.

2.
Change the Can edit module configuration? field to No so he cannot edit the configuration file path and the commands that the module uses.

3.
Leave Can apply changes? set to Yes so he can activate any changes that he makes.

4.
Change Can edit global options? to No so he cannot change options that apply to all clients.

5.
Can view leases? can be safely left set to Yes, but Can remove leases? should be set to No.

6.
The Uniq host names?, Uniq subnet IP addresses?, and Uniq shared-net names? fields should be changed to Yes to prevent the creation of clashing hosts, subnets, and shared networks.

7.
The Use security level field determines to which configuration entries in the hierarchy the user is allowed access. The available options and their meanings are:

Level 0 The user will have access to all entries to which he has been granted.

Level 1 The user will have access to granted entries, as long as he can access all their children as well.

Level 2 The user will have access to granted entries, as long as he can access all parent and ancestor entries.

Level 3 Like levels 2 and 3 combined. Generally, you should leave this option set to level 0 for simplicity's sake.

8.
Assuming you are limiting the user to editing only certain hosts, deselect all three options in the Access groups and Access shared nets fields. This will stop the user from viewing and editing any groups or shared networks.

To stop the user from creating hosts and subnets, deselect create in the Access hosts and Access subnets fields.

9.
Change the Enable per-subnet ACLs? and Enable per-host ACLs? fields to Yes. This allows you to select exactly which hosts and subnets the user can access from the Per-object ACLs section provided.

If the first of these fields is set to No, the Access subnets checkboxes determine whether the user can view and edit all subnets. Similarly, if the Enable per-host ACLs? field is set to No then the Access hosts checkboxes control the viewing and editing of all hosts.

10.
In the Per-object ACLs section, select read/write for any hosts and subnets that the user should be able to configure and not allowed for the rest. Choosing read only will allow him to view the host or subnet without being able to change it.

11.
Finally, click the Save button at the bottom of the page to make the new restrictions active.

Another common use of the DHCP Server module's access control page is limiting a user to the viewing and cancelling of leases only. This can be done by setting the Can view leases? and Can remove leases? fields to Yes and everything else to No. The user should also be denied access to all hosts, subnets, and so on, or possibly given read-only permissions.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.138.157.213