50.7. Editing the User or Group ACL for a Module
As Chapter 52 explains, Webmin users and groups can be further restricted in what they can do with a particular module. This allows you to create a user who can edit only a single Apache virtual host or DNS domain, for example, but not use the rest of the features of the Apache Web server or BIND DNS Server module. The actual access control options available are different depending on the module that you want to restrict, and are covered in detail in the chapter for that module.
The Cluster Webmin Servers module can also be used to configure access control for a particular user and module, but on multiple hosts at once instead of just one. Before doing this, you should be familiar with the process of restricting access on a single system with the Webmin Users module, as a very similar form is used.
For module access control to work across multiple systems, each must have a very similar or identical configuration for the server that the restricted module manages. For example, it makes no sense to give someone access to a particular BIND zone if it does not exist on all servers. Unfortunately, some modules (such as Custom Commands) use command IDs that are unique to a particular server, so trying to give a user access to a particular command on multiple systems will not work even if that command button has been created independently on each system.
To edit access control settings for a user or group in a particular module, follow these steps:
1. | On this module's main page, select the user and module from the menus next to the Edit ACL
for button. The top button is for users, the bottom for groups. When you hit the button, an access control form that differs depending on the module chosen will be displayed. |
2. | Follow the instructions in the appropriate chapter of the book to fill in the form. Many forms include lists of configuration objects (such as virtual servers, DNS domains, or Samba shares) to select, which will always be taken from the master server even if the user or module does not exist. This can cause problems if, for example, a DNS zone exists only on another host and it is not appearing in the menu of zones to which to allow access because the list is being taken from the master. Unfortunately, there is no way to avoid this at present. |
3. | To update the configuration for this module and user on all managed systems, click on the Save on all hosts button. You can also change the settings just for the host shown in the title with the Save only on this server button. Either way, the change will be immediately applied to the user or members of the group. |
Sometimes it is necessary to edit the access control settings on just a single system instead of all of them. You can do this by following these steps:
1. | Open the user's or group's editing page using the Edit user or Edit group button on the main page. |
2. | At the bottom of the form is a button labeled Edit ACL
for with a menu next to it listing all of the modules to which this user has access and hosts on which he exists. Select the entry for the combination of module and host for whom you want to edit access control settings and hit the button. |
3. | Fill in the access control form that appears as you usually would. Unfortunately, any lists of Apache virtual servers, custom commands, or DNS zones on the form will be taken from the master system, not the chosen host. |
4. |