TLDR; Is there a way to hide or disable specific add-on settings tabs in the console so that even the admin user can not see them?
I’m building a hosted Nextcloud service for a specific use case where I DO NOT want the admin user to have access to the settings for some of the add-ons in the Web Console.
This will be a prepared environment where the Admin users will be noobs essentially so we only want to give them access to a handful of the add-on settings, where the rest that deal with sensitive / service specific settings will be inaccessible and preferably hidden entirely.
The biggest target is LDAP. We’ll be using an LDAP server to manage user accounts, and there should be no way for the admin user to change or even see these settings.
Is it possible to hide configuration tabs for individual add-ons?
In answer to a question raised about who the true admin would be, in another thread regarding this…
The answer is that we (as in the owner/service provider of the server, not the client utilizing it) are performing all maintenance via OCC directly at the system level. Updates to NC, addition/removal of add-ons, other maintenance, etc. We as the actual admins do all the work, we simply want to provide a light weight admin level with the admin account itself. Even if they are technically the admin as far as NC goes, we don’t want them able to make catastrophic changes to the installation. This is a fully prepared and managed environment.
Going to have to respectfully disagree with you here. If this was the case, we wouldn’t already have config.ini options such as:
'appstoreenabled' => 'false'
'upgrade.disable-web' => true
… both of which serve to remove the ability for the so called admin user to manage some major aspects of the system, ensuring there must me another layer of administrative control. Our maintenance is automated using common orchestration layers, so there is no user that has access to a clients data per se.
I’m only asking if it’s possible to extend the same capability as the options above to specific apps.
Not really, the admin in your scenario would be the same person, why would you need to lock yourself out of using one interface? In any case, I’m wasn’t looking for a debate on whether you believe there is merit to my need, the fact is, it’s a need and I was asking if it was possible. If you’ve got something constructive, I’m all ears.
@anon71540698, your solution just tells me to do it differently, it’s not an answer to my question. Is there anything you can share about whether it’s possible to disable specific tabs in the admin area even for the ‘admin’ user, in the same way that I can hide the upgrade ability from them, or the same way that I can disable the app store and hide it from them? This is so they still have administrative control over many aspects of the system that they will be using, just not the ones that can cripple the server because as I mentioned in the very first post, they’re Noobs. Thanks for your help.
Thanks for the suggestion aaaaron, but I can’t count on all the users in our use case being trustworthy so I need a fully secure solution, hiding the visible options that are still in plain sight when using view page source unfortunately won’t cut it. Cheers!
Thanks for the suggestion @szaimen, I’d considered this, but the problem is, the settings are technically still there whether visible or not, and anyone with any JS/console know how would be able to “hack” inputs and adjust settings. This scenario is a little abnormal, as the “admin” in these cases should have some control over the application, but not complete, for instance, they shouldn’t be able to browse the filesystem, or adjust performance settings, but should be able to perform most simplistic administrative actions like customizing the colour of the console, etc.
@oucil and @burn874 - This ought to be able to be implemented via a custom app (I think). I’m a freelance PHP developer, but I’ve never written code for Nextcloud. However, I wouldn’t mind an excuse to learn. If you’re interested in some custom development, I might be able to give you a hand.