TLDR; Is there a way to hide or disable specific add-on settings tabs in the console so that even the admin user can not see them?
Iām building a hosted Nextcloud service for a specific use case where I DO NOT want the admin user to have access to the settings for some of the add-ons in the Web Console.
This will be a prepared environment where the Admin users will be noobs essentially so we only want to give them access to a handful of the add-on settings, where the rest that deal with sensitive / service specific settings will be inaccessible and preferably hidden entirely.
The biggest target is LDAP. Weāll be using an LDAP server to manage user accounts, and there should be no way for the admin user to change or even see these settings.
Is it possible to hide configuration tabs for individual add-ons?
In answer to a question raised about who the true admin would be, in another thread regarding thisā¦
The answer is that we (as in the owner/service provider of the server, not the client utilizing it) are performing all maintenance via OCC directly at the system level. Updates to NC, addition/removal of add-ons, other maintenance, etc. We as the actual admins do all the work, we simply want to provide a light weight admin level with the admin account itself. Even if they are technically the admin as far as NC goes, we donāt want them able to make catastrophic changes to the installation. This is a fully prepared and managed environment.
I believe this contradicts the āphilosophyā of Nextcloudā¦
You want to introduce another root-level group that takes care of the āmaintenanceā.
Doesnāt need to know anything about the data on the server but has access to itā¦
I think Nextcloud was built to eliminate this layer of adminsā¦
EDIT
For your use case you might consider creating groups, storage in the form of Group Folders, assigning admin rights to some users in those groups, etc. Those admins can do nothing with the systemā¦
Going to have to respectfully disagree with you here. If this was the case, we wouldnāt already have config.ini options such as:
'appstoreenabled' => 'false'
'upgrade.disable-web' => true
ā¦ both of which serve to remove the ability for the so called admin user to manage some major aspects of the system, ensuring there must me another layer of administrative control. Our maintenance is automated using common orchestration layers, so there is no user that has access to a clients data per se.
Iām only asking if itās possible to extend the same capability as the options above to specific apps.
Not really, the admin in your scenario would be the same person, why would you need to lock yourself out of using one interface? In any case, Iām wasnāt looking for a debate on whether you believe there is merit to my need, the fact is, itās a need and I was asking if it was possible. If youāve got something constructive, Iām all ears.
@anon71540698, your solution just tells me to do it differently, itās not an answer to my question. Is there anything you can share about whether itās possible to disable specific tabs in the admin area even for the āadminā user, in the same way that I can hide the upgrade ability from them, or the same way that I can disable the app store and hide it from them? This is so they still have administrative control over many aspects of the system that they will be using, just not the ones that can cripple the server because as I mentioned in the very first post, theyāre Noobs. Thanks for your help.
Thanks for the suggestion aaaaron, but I canāt count on all the users in our use case being trustworthy so I need a fully secure solution, hiding the visible options that are still in plain sight when using view page source unfortunately wonāt cut it. Cheers!
Thanks for the suggestion @szaimen, Iād considered this, but the problem is, the settings are technically still there whether visible or not, and anyone with any JS/console know how would be able to āhackā inputs and adjust settings. This scenario is a little abnormal, as the āadminā in these cases should have some control over the application, but not complete, for instance, they shouldnāt be able to browse the filesystem, or adjust performance settings, but should be able to perform most simplistic administrative actions like customizing the colour of the console, etc.
@oucil and @burn874 - This ought to be able to be implemented via a custom app (I think). Iām a freelance PHP developer, but Iāve never written code for Nextcloud. However, I wouldnāt mind an excuse to learn. If youāre interested in some custom development, I might be able to give you a hand.