Today, we're announcing two new features - managing users using groups and group level access control for applications.
The story so far
Previously, all users on a Cloudron had access to all installed applications and the special built-in
Admin group provided administrator rights.
With today's release, we have made it possible to create user groups and control which groups can access an application.
User groups can have distinct names like
Developers etc. A user can be added to one or more groups by a Cloudron administrator.
Users in the special
Admin group have administrative access to the Cloudron (installing and configuring new applications) and can manage groups.
Restricting access to apps
By default, any Cloudron user can access an application. With today's release, the application can be configured (via the configuration dialog) to limit access to one or more user groups.
Let's say you have a public WordPress app, where only some employees are allowed to write blog posts. These employees can be grouped into a group named
bloggers. This group can then be given exclusive access to the WordPress app. Note that the Cloudron's access control integrates tightly with WordPress user management and only restricts the usage of private, content generation parts of WordPress. The blog itself is public and anyone can read articles. (If you want the blog to be completely private, simply make it private in WordPress preferences or use a WordPress plugin).
If you are working on one or more projects with externals (contractors/customers), you can restrict access to apps on a per project level. Simply create a distinct user group for each project and assign the group to the apps they need access to.
Onboard & Exit
If you have a new hire, simply assign them to the correct groups and they can single sign-on to apps. If a user leaves or has to be denied access, simply remove them from one or more groups. Removing the user from all groups may be a soft step for removing them altogether from a Cloudron.
Single user applications
Some applications are designed to be used by a single user. Our solution to this problem has been to put such apps behind a proxy. The proxy acts as a firewall and authenticates users before allowing access to the application.
Prior to this release, the authentication proxy could be configured to only allow a single user. With today's release, the authentication proxy can be configured to allow one or more user groups. For example, you can configure a
Developers group to access a Hastebin code paster.