I want certain people to be able to assign operator permissions to operations personnel; however, I do not want them to be able to assign themselves administrator-like access. Is there a way to either make certain roles not selectable, or segregate the user sources?
To allow users to manage users, in the web interface, go to 'Config, ' and click on the 'General' link in the security section of the sidebar. Then, mark the checkbox for 'Allow User Admin,' and save the settings
To limit who can access user management, In the designer click on 'Project' and select 'Project Properties.' Then, in the Vision section click 'Permissions':
Under user management, select the minimum role required:
Finally, you can filter what roles are an option in the user management tool using the filterRole extension function.
#def filterRole(self, role): currentUserRolls = system.security.getRoles() if 'Administrator' in currentUserRolls: return True elif 'Lead' in currentUserRolls and role == 'Operator': return True else: return False
Result when logged in as admin:
Result when logged in as lead:
With this script, the result when logged in as anybody else would be that no roll was available to select, but due to the fact that the other roles are excluded from the permissions set above, the entire user management tool will be disabled and inaccessible to the other roles, so that doesn't really matter in this case.
What can I do so that certain users only have permission to add users and cannot delete any?
Configure the security so that the role you want can add, but on the delete button that role cannot.