Implement roles in Nextcloud

[Baptistou]

Is your feature request related to a problem? Please describe.
The main problem is that, in medium and large scale, we have to define permissions for a category of users, which are spread into multiple organizational groups, and a same group contains different categories of users which need different features/permissions.
The feature of "Groups" in Nextcloud can be used as both an organizational container of users, e.g. seperating different branches of a company, and a permission container, configured in group whitelists/blacklist in Apps or Admin panel.
Therefore, we have to assign users to at least two groups, one for organizational struture and one for feature permission.
As an undesired result, all those groups are visible and configurable in different and inconsistant places in the interface such as Share list, Talk app, Personal settings, Apps panel, Group folders... which is confusing for both users and admins.
The concept of "Roles" takes on its full meaning here,

Describe the solution you'd like
Please implement the concept of "Roles" in Nextcloud to separate organizational struture and user permissions.
Permissions should be configurable in one unique and centralized place related to roles.
Moreover, the user should not be aware of the role he belongs to, this is a technical information only handled by admins.

Describe alternatives you've considered
When I have to restrict feature access to some users, I have to create a group, assign users to it, update authorized group whitelist in different places in Apps panel and/or in Admin panel (e.g. Talk app, Group Folder).
This is really not convenient.

[benjamindahl]

From a data protection point of view, I'm looking for a similar feature.
I want to hide specific groups from others and give access to specific features to single users. A more precise permission assignment to groups is really needed.

[stovesy]

I agree in part here. Conditional access to applications based on user 'groups' would be good. An instance here is where we have 'guest' users out of our company, we don't want to provision calendar, tasks etc to these users, merely file access.
Thanks

[summersab]

I'm adding my support for this feature request (#7482 may be related, by the way). There is a dire need for more granular permissions/roles for users and administrators. This could be done in a number of ways:

• Adding more user "types" like Admin, Group Admin, Manager, User, Consultant, Guest, etc. Each of these groups has different permissions.
• Granular permissions for users, groups, roles, etc.
• A combination of the above.

Obviously, the first option is easiest while the second is the hardest. There are a number of factors at play:

• How granular do things go? Are we talking Active Directory-level of control?
• Should it be possible to add new app-based permissions? This would require developing some sort of hooks.
• How does this tie in with other user management systems like LDAP?

I think this is a pretty important feature. It's certainly a huge undertaking, but it should be a fairly high priority, in my opinion. I just started really digging into the code tonight, and I'm trying to figure out where to start. Feedback from people more familiar with the structure of the code would certainly be appreciated.

[summersab]

I found two RBAC libraries for PHP:
https://github.com/OWASP/rbac
https://github.com/php-casbin/php-casbin

On one hand, OWASP is one of the "gold standards" in security. On the other hand, Casbin is a more active project, and it has more cross-language support (might be helpful if Nextcloud ever begins supporting plugins/add-ons in different languages down the road). Also, there are some pretty noteworthy projects using Casbin, apparently. That makes me lean toward that project as a starting point.

Edit: Oh, dear - Casbin uses conf and csv flat-files instead of storing the configs in a database. That's a no-go. PHP-RBAC uses a database.

Also, it looks like this fork added Postgres support, so that may be important:
https://github.com/jamesvl/rbac

[summersab]

Okay, I believe I understand how this works. NC uses annotations to set permissions throughout the controller classes. It uses things like:

@NoAdminRequired
@NoSubadminRequired
@NoCSRFRequired
@PasswordConfirmationRequired

If these are set in the PHPDoc before the function, the system performs security checks. This . . . is kinda gross. I mean, it works, but it seems like a shoe-horned solution, and I didn't find it to be well-documented at all.

To add RBAC support, new structures need to be added to the DB to contain permissions for users. Then, the hasAnnotation calls need to be edited to check for user permissions. The list of available annotations should be expanded to allow granular control over specific functions. Lastly, a new page needs to be added (or a current page modified) to provide a way to manage permissions from the web GUI.

All-in-all, not impossible to do, and it shouldn't take that long. However, I would want to work in conjunction with one of the NC devs before attempting to overhaul something like this on my own without their input.

[hsluoyz]

@summersab Casbin supports to store policy into a lot of DBs via adapter: https://casbin.org/docs/en/adapters . Most of those ORM adapters support PostgreSQL.

[szaimen]

cc @nextcloud/server-triage is this something we want in the long term?

[skjnldsv]

cc @nextcloud/server-triage is this something we want in the long term?

Might be with circles in the long run