user permissions

BlazingChaos

I would like to see more permissions for user accounts giving them access to individual access to anything you want on the left-hand side

so if you have a tech he can look at invoices or travel

but not revenue

johnny

Hi @BlazingChaos

This would be an excellent feature although it would take a major undertaking and is far down our list.

ITFlow was initially designed for a small MSP with some trusted employees. Still much development to go.

BlazingChaos

Could you make it so a user could have both tech and sales

johnny

Absolutely for the Future they will be very customizable

JohnH

Could we add functionality to restrict user's from certain clients or clients with a specific tag?

For example I have a sub-contractor that I trust with our clients, however I don't want him accessing our internal stuff (we are also listed as a client - he dosent need to log into our ESXi cluster).

johnny

@JohnH thats a good idea but within time this will get accomplished

psiiota

I am thinking about working on some preliminary work for this.

I will be trying to mimic unix permissions, but with some additional fine tuning.

We will need to add groups, but I think the Tags idea from @JohnH is more expandable, so include a Tags table, and a Tags_Users table. The latter storing the relation between the tags and the users.

We will also need a Page_Permissions table to store what permissions are applied to each page.

I am thinking a modal on most pages' more information button, that pops up a 4xX grid labled R,W,X,P(edit permissions) columns, and all tags displayed as rows. Checkboxes to select what tags have what permissions on what page.

Below that 2 fields to select or deselect users manually, without using groups, and add them to above list.

I will revise as needed, expect a draft PR in the coming days.

wrongecho

We don't really have the proper groundwork in place at the moment to do things like this. I've been planning to rebuild permissions from that ground up for some time, but it's a fair amount of work.

Initially I was just thinking we'd stick with the current roles (instead of groups). We could possibly add groups in the future, but it's important to remember that the target audience for ITFlow is small MSPs and we want to keep things (especially something as important as the permissions system) simple. Yes, that may mean we give up some granularity, but does a small MSP really need to control that a specific tech shouldn't be able to access a specific module for a specific client?

We need to properly define the roles in the database alongside their current permissions (roughly this):

Table: user_roles

user_role_id
user_role_name
user_role_description
user_role_admin_settings_access
user_role_clientmgmt_access
user_role_ticketing_access
user_role_accounting_access
user_role_billing_access
user_role_password_access
user_role_etc_….

Each access entry (except admin) would have permissions of either:

0 - No access
1 - Read
2 - Write (Read/Write)
3 - Full (Read/Write/Delete)

So a technician might have:

user_role_id = 3
user_role_name = Technician
user_role_description = Built-in role for technicians
user_role_admin_settings_access = 0 (none)
user_role_clientmgmt_access = 2 (read/write)

Once this is in place we'd need to rewrite the existing check to be more specific for every page and function. Rather than just checking if someone is a technician, we'd check if the technician role actually has the access level required.

For example (just off the top of my head): Editing a client overview page, we'd check like validateAccess('clientmgmt', 'write');

check_login.php

// Get access levels from DB
$sql = mysqli_query($mysqli, "SELECT * FROM user_roles WHERE user_role_id = $session_user_role_id")

// Set each module access in user session
$session_user_role_clientmgmt_access = $sql['user_role_clientmgmt_access']

functions.php

function validateAccess($module, $checkLevel) {

    // Map levels
    if ($checkLevel = 'read') {
        $checkLevelInt = 1
    } elseif ($checkLevel = 'write') {
        $checkLevelInt = 2
    } elseif ($checkLevel = 'full') {
        $checkLevelInt = 3
    } else {
        return false;
    }

    // Check access level (if the role in the session (e.g. 2 for a technician is equal or greater than the checkLevel (e.g. also 2 for this) requested, grant access)
    if ($module = 'clientmgmt') {
    
        if ($session_user_role_clientmgmt_access >= $checkLevel) {
            return true;
        }
        
        return false; // default return
    } 

}

This would then need a GUI written to allow the roles to be editable (with the ability to create additional roles, too).

Once all of this is in place, then we should look at restricting individual access to clients (based on tags, etc). We had this previously but removed it. Again, I don't think we should go much further (e.g. defining certain pages per client that roles can/can't access) as it creates unnecessary complexity.

psiiota

wrongecho but does a small MSP really need to control that a specific tech shouldn't be able to access a specific module for a specific client?

I would say so. We are a 3 technician MSP who outsources a lot of work. I definitely love that ITFlow is focused on small MSPs, but all small MSPs should be looking at scalability.

wrongecho and we want to keep things (especially something as important as the permissions system) simple

Yes, I second this 1000%. We have used NinjaOne, ConnectWise, and Kaseya's all in one packages, and for each and every one it is a pain point. I just suggest that if we ever do fine grain permissions, to ensure there is a modal to edit permissions that apply to the page, to avoid the confusion of an entire list of permissions that you are expected to know and understand.

I feel the best solution to this is to have expandable groups, but make sure the defaults are what the typical 1-2 person MSP needs. This way when the 1-2 person MSP hires a few technicians, they will be able to let ITFlow grow with them instead of outgrowing it.

wrongecho user_role_admin_settings_access = 0 (none)
user_role_clientmgmt_access = 2 (read/write)

This is a good starting point for a V1, but…

wrongecho then we should look at restricting individual access to clients (based on tags, etc)

I see the real use case here. We only want to give a contractor working on Client C access to Client C, not a or b, and especially not our internal organization.

Right now, our process is to print the client export document, and have contractor take notes with a pen and return, but that feels like the dark ages. That process involves a lot of data entry, but our Managed Service Agreements and Business Associates Agreements require it, as we have HIPAA clients.

joel

Hi,

Is this going to happen anytime soon?

johnny

@joel @Bigbug I am thrilled to say this has happened =]

Go ahead and Update and you will get the new user client Permission Restriction Options by default everyone is unrestricted on user access,

Please report any issues or bugs thanks

johnny

itflow-org/itflowce0c394

itflow-org/itflowfa06496

itflow-org/itflowe16dce1

itflow-org/itflow85bf412

itflow-org/itflow9876c33

joel

This is assume…

Thank you so much

joel

I just noticed that even the user dont have access to a client, he can still search and see all clients passwords.

He cant open the login, but he can see/copy it from outside

Best,

johnny

Hi @joel There are going to be places where we will need to further lock it down, Global Search is one of them, ill go ahead and update, let us know if you find any more bugs im gonna push out an update here shortly

johnny

Hey @joel

We just pushed out an update to limit user access to restricted clients within global search

itflow-org/itflowbd12319

Bigbug

I found that the only thing the client access permission does, is that it restricts you by client_id
Which doesn't really restrict any content that client might have

For example /client_contact_details.php?client_id=2&contact_id=2 if I change the URL to contact_id=30 i can see the contact with the ID 30 - which belongs to a different client - and with that comes all related Assets/logins/licenses etc.

I think the approach shall be that every contact_id should be bind to a client_id and if someone pokes around with the URL it should give him a blank page or a redirect to a valid page

Makes sense @johnny ?

🙏

johnny

Nice catch @Bigbug and totally make sense, will work on a solution for this.

alphaTECH

Hello, sorry for the necrobump. I've set up some new users and restricted them to one client, however they can still see and access tickets created under other clients from the main ticket dashboard. Let me know how if I can assist to resolve this.