dagaman
Hello,
I would like to have multiple security areas, one of which should only be accessible by the top level administrator and a high security group, but I also require a low-security administrator group. Neither should this low-security administrator group be able to add the rights to access this security level to any user, nor should this administrator group be able to access the high security area themselves.
Is this kind of concept securely possible with Dokuwiki?
thanks much!
turnermm
dagaman
thanks for the answer, though a manager as a second level admin would not work, since our second level admins are required to access the ACL and user management, which managers aren't allowed to.
martinr
You need to be a bit clearer what exactly you want your low-security administrators to be able to do.
If it helps, on my Wiki I have the following scheme:
@ALL - basically read access + write to talk pages.
@user - as @ALL plus the ability to write to the user part of the wiki.
@admin - new group to allow certain explicitly named users write access to the non-user part of the wiki and to read logs (in :wiki:)
All are then handled through the ACL scheme. Superuser and manager then are granted access to admin functions via configuration>authentication.
dagaman
@MartinR Thanks, i'll try to be clearer.
we have 2 namespaces (public, private) and 4 user groups (@ALL, @user, @topuser, @admin, @low_security_admin).
@ALL should be able to read from public but write nowhere
@user should be able to read and write from/to public
@topuser should be able to read and write from/to public and private
@admin should be able to read and write from/to public and private, and to create new users/assign users any group
@low_security_admin should be able to read and write from/to public, and to create new users/assign the user or guest role to them but not the admin, or topuser groups.
the low security admin should never be able to see the private area, even if he tries to change his rights or create new users.
I can create a @low_security_admin with no rights to view/write private, but I can't stop him from manipulating his/other user's rights to allow him into the private area
martinr
Thanks Dagaman, that does clarify things. Given that you want @low_security_admin to be able to create users, my suggestion clearly wouldn't work. Sorry for the static.