Switch user

[msauter]

Setting permissions for users, companies, workspaces etc. is quite complex in OpenGoo, and if something goes wrong here this can have heavy consequences.

Therefore I'd like to have a "Switch user" feature which is available for administrators only and which allows you to see your OpenGoo installation from the perspective of another user without the necessity to log in with this users credentials (which you may not have anyway since users can change their passwords).

I imagine a dropdown in the upper right corner (where your own user name is displayed) which allows you to select any other user immediately. This would help very much to check if a user is able to see what he/she should, but doesn't see what he/she shouldn't.

I know this option from TYPO3, which is very helpful if you get these phone calls or e-mails saying "I can't find XY...".

[conrado]

Martin,

First: permissions in OpenGoo can and need to be improved. That is absolutely a big concern.

I understand the helpfulness of this feature as I have dealt with those support requests myself, but I am also concerned about a sysadmin having the ability to check my work environment.

I am thinking that the best solution should be for the user to explicitly enable the admin to view my environment, for the period of time that I chose (during the phone call).

I don't want to give my sysadmin more 'powers' than he needs.

[msauter]

Hi Conrado

As an administrator I can see any information in any workspace anyway, and I can control the permissions of any user. In other words: There is no privacy for standard users anyway, so it does not make any difference if I can log into a useres account.

- Martin

[editfish]

...Therefore I'd like to have a "Switch user" feature which is available for administrators only and which allows you to see your OpenGoo installation from the perspective of another user without the necessity to log in with this users credentials (which you may not have anyway since users can change their passwords).

I imagine a dropdown in the upper right corner (where your own user name is displayed) which allows you to select any other user immediately. This would help very much to check if a user is able to see what he/she should, but doesn't see what he/she shouldn't.

Ditto.  I've played around with Goo quite a bit, but still have to log in as a 'standard' user to verify permisions are working as I intended.  This would be an awesome feature request.  Perhaps even with the ability to edit global permissions as an admin while in 'filter view' so that changes/corrections can be viewed (or disappear, as the case may be) immediately.

Is this even feasible, given the current roadmap, or would it require too much coding to make it break-even attractive?

[conrado]

As an administrator I can see any information in any workspace anyway... In other words: There is no privacy for standard users anyway...

That is what worries me! Privacy (confidentiality) should always come first. So we should rather work on fixing that, before we make things easier for administrators.

Right?

[editfish]

As an administrator I can see any information in any workspace anyway... In other words: There is no privacy for standard users anyway...

That is what worries me! Privacy (confidentiality) should always come first. So we should rather work on fixing that, before we make things easier for administrators.

Right?

I think it could be addressed in such a manner to recognize both privacy and ease-of-use concerns, in that the admin could set permissions up until the actual user disallowed admin override for a particular workspace.  Thus the end user could have control over the privacy issues, and the admin could have ease of use up until the end user decides to take control of their own workspaces (thereby being the 'admin' for their own workspace/data).  The actual admin would then be able to make system wide changes (even removing user or their workspaces) but just not to change what is in those workspaces, or to change the permissions.

The future help file, or sytem messages could walk the end users through the process before they add sensitive material.

[conrado]

Yes, that is very similar to what I have in mind.

The thing is that getting there requires previous steps:

• Test
• Get 1.0 out
• Test
• Get 1.0.1, 1.1, etc., with what we discover has missed 1.0 but is absolutely essential.
• Test
• ...
• Address Privacy issues
• Test
• ...
• Address Usability issues that concern end-users
• Test
• ...
• Address Usability issues that concern sysadmin

Man... do we have work to do! 

[msauter]

Wait! We all agree that there is room for improvement regarding the permissions. And now you are thinking about making it even more complex by giving the standard users the opportunitiy to lock the admins out?

It's absolutely common in any system that there is a super user who has access to the whole system. And I think it's for good reasons.

[conrado]

Not exactly.

Room for improvement: - LOTS!

Improving usability for admins before end-users: - Doesn't have my vote.

Having the permissions (usability) be more complex than it is now: - Please no! I live in this system, and I can barely grasp its permissions features myself!

Privacy is a big deal for me. That is one of the main motivations behind OpenGoo: to know that my information is mine, in every sense:

• I don't lose it
• You don't see it if I don't share it with you

So, if my sysadmin has a hard time to access my private data, that is all the best. No security system will ever be 100% perfect (secure), but at least we should try.

I am not saying the system should not be easy to use by sysadmins. All I am saying is that current focus is on other aspects.

Also, if users want to give up their privacy to ease administration, that is fine, and up to them. Me, I take my nude pictures more seriously than Paris Hilton does.

[conrado]

Very interesting/important topic, by the way.

I would like to have others share their opinions.

[editfish]

Also, if users want to give up their privacy to ease administration, that is fine, and up to them. Me, I take my nude pictures more seriously than Paris Hilton does.

lol, I was thinking of more benign items, but you are right.  The admin should at the very most—assuming user privacy is turned on—be able to view the workspace name (and perhaps the permission settings), but not the individual items assigned to those workspaces (nor be able to change the permissions, but viewing them would be helpful from a 'help desk' scenario for walking the user through editing permissions themselves.

At least that's my understanding of your the privacy vs convenience argument.

I guess if there ever was a reason for a so-called 'super-admin' to have complete and unfettered access, it should be in the form of a 'pushbutton permission' whereby the user gives an admin (general or specific) complete permissions for that one session only, and the permission would expire within a predetermined time frame or when the user logs off...

As always, 2¢.

[msauter]

Two more thoughts:

1. The "switch user" feature can also be a tool to protect privacy, because it allows the admin to make sure that a certain user has only the rights he/she should have.

2. If we really care about privacy then we have to encrypt the whole database and all files (because they are accessible at least for the person who installs OpenGoo).

[conrado]

@editfish: Totally agree.

@msauter:
1. Totally agree.
2. 99% agree. Encrypting database has lots of costs though (Performance loss and added complexity mainly). There are workarounds: You could have the password to the whole system (linux root, mysql admin, etc.), and only grant access to your admin on a very controlled manner (temporary sudo... that sort of stuff).

I am playing too paranoid a role here, but it was my way of illustrating the implications.

Also, Martin, don't get me wrong: the feature request is a very good idea. To me, it feels like we have some other stuff to improve before we can get to that.

I don't have that many nude pictures either...