Disable settings tabs for some add-ons, including the admin user

Hi there,

TLDR;
Is there a way to hide or disable specific add-on settings tabs in the console so that even the admin user can not see them?

Iā€™m building a hosted Nextcloud service for a specific use case where I DO NOT want the admin user to have access to the settings for some of the add-ons in the Web Console.

This will be a prepared environment where the Admin users will be noobs essentially so we only want to give them access to a handful of the add-on settings, where the rest that deal with sensitive / service specific settings will be inaccessible and preferably hidden entirely.

The biggest target is LDAP. Weā€™ll be using an LDAP server to manage user accounts, and there should be no way for the admin user to change or even see these settings.

Is it possible to hide configuration tabs for individual add-ons?

Thanks,
Kevin.

Beulerā€¦ Beuler?

In answer to a question raised about who the true admin would be, in another thread regarding thisā€¦

The answer is that we (as in the owner/service provider of the server, not the client utilizing it) are performing all maintenance via OCC directly at the system level. Updates to NC, addition/removal of add-ons, other maintenance, etc. We as the actual admins do all the work, we simply want to provide a light weight admin level with the admin account itself. Even if they are technically the admin as far as NC goes, we donā€™t want them able to make catastrophic changes to the installation. This is a fully prepared and managed environment.

I believe this contradicts the ā€œphilosophyā€ of Nextcloudā€¦

You want to introduce another root-level group that takes care of the ā€œmaintenanceā€.
Doesnā€™t need to know anything about the data on the server but has access to itā€¦

I think Nextcloud was built to eliminate this layer of adminsā€¦

EDIT
For your use case you might consider creating groups, storage in the form of Group Folders, assigning admin rights to some users in those groups, etc. Those admins can do nothing with the systemā€¦

Going to have to respectfully disagree with you here. If this was the case, we wouldnā€™t already have config.ini options such as:

  • 'appstoreenabled' => 'false'
  • 'upgrade.disable-web' => true

ā€¦ both of which serve to remove the ability for the so called admin user to manage some major aspects of the system, ensuring there must me another layer of administrative control. Our maintenance is automated using common orchestration layers, so there is no user that has access to a clients data per se.

Iā€™m only asking if itā€™s possible to extend the same capability as the options above to specific apps.

One of the two config entries has (can have?) a different explanationā€¦

When you web-upgrade a Nextcloud instance with a lot of users and data, the system ALWAYS recommends to do it from the command lineā€¦

I donā€™t think it has anything to do with separating admin right: cli update is just more reliableā€¦

Not really, the admin in your scenario would be the same person, why would you need to lock yourself out of using one interface? In any case, Iā€™m wasnā€™t looking for a debate on whether you believe there is merit to my need, the fact is, itā€™s a need and I was asking if it was possible. If youā€™ve got something constructive, Iā€™m all ears.

Read the EDIT in my first post aboveā€¦,

@anon71540698, your solution just tells me to do it differently, itā€™s not an answer to my question. Is there anything you can share about whether itā€™s possible to disable specific tabs in the admin area even for the ā€˜adminā€™ user, in the same way that I can hide the upgrade ability from them, or the same way that I can disable the app store and hide it from them? This is so they still have administrative control over many aspects of the system that they will be using, just not the ones that can cripple the server because as I mentioned in the very first post, theyā€™re Noobs. Thanks for your help.

is this an option for you?

Thanks for the suggestion aaaaron, but I canā€™t count on all the users in our use case being trustworthy so I need a fully secure solution, hiding the visible options that are still in plain sight when using view page source unfortunately wonā€™t cut it. Cheers!

Any change you have a solution? Iā€™m in the same situation right now

You could use the custom_css app to achieve this:
E.g. to hide the usersettings activity settings tab:

/* HIDE usersettings activity */
[href="/settings/user/activity"]{ display: none !important; }

To disable access to the custom_css settings, you can then hide the theming tab:

/* HIDE theming tab */
[href="/settings/admin/theming"]{ display: none !important; }

or the custom css section:

/* HIDE custom_css section */
div#theming-customcss.section { display: none !important; }

and make sure that editing the custom_css settings only works over occ.


Afterwards, you can only manage your customcss settings over occ:

getting your current custom_css settings works over occ so:
occ config:app:get theming_customcss customcss

setting your customcss over occ works like this:
occ config:app:set theming_customcss customcss --value="your custom css code"

deleting all current custom_css settings works like this:
occ config:app:delete theming_customcss customcss

Thanks for the suggestion @szaimen, Iā€™d considered this, but the problem is, the settings are technically still there whether visible or not, and anyone with any JS/console know how would be able to ā€œhackā€ inputs and adjust settings. This scenario is a little abnormal, as the ā€œadminā€ in these cases should have some control over the application, but not complete, for instance, they shouldnā€™t be able to browse the filesystem, or adjust performance settings, but should be able to perform most simplistic administrative actions like customizing the colour of the console, etc.

1 Like

@oucil and @burn874 - This ought to be able to be implemented via a custom app (I think). Iā€™m a freelance PHP developer, but Iā€™ve never written code for Nextcloud. However, I wouldnā€™t mind an excuse to learn. If youā€™re interested in some custom development, I might be able to give you a hand.

@summersab Appreciate the offer, but weā€™re also a PHP development shop and are working on this already. Cheers!

Iā€™ve added the NC19, and 20 tags to see if any further options exist in the latest releases to address the original question.

Was there any headway on
an app that lets us create Admin Levelsā€¦
Admin_Super
Admin_Custom
Admin_?
Create Custom Admin Rolls?