Is it possible using one instance of Piwik to have multiple Administrator accounts which are not sharing particular websites among themselves and they are not visible to each other?
If so, then how to do it? If not, then maybe there's some other software I could use?
You can set permissions to a website to "admin" level and assign different user to each set of websites. You don't have to set "superuser" permission.
Related
I use Windows 10 Home with a separate Admin account, using a limited account for day to day work. I've installed Docker (community edition) using the admin account, but when I switch to the limited user, it wouldn't let me run it unless my limited account joins the "docker-users" group.
This question isn't to ask how to join that group (see this other question) but instead to to ask why the group is needed. Is this a security measure? Do I open up a vulnerability by using Docker from a limited account?
If it isn't a security measure, what reasons would I have for denying a user membership of this group?
Being able to create docker containers should be considered a privileged action because it allows someone to host new services on the underlying server, including hosting interfaces on low-numbered ports (22, 80, 443 etc).
The "docker-users" group exists to allow non-admin users to perform these privileged actions, bypassing the security control that required an admin user. This exists for the convenience of managing docker containers from a standard user rather than an admin user. The security benefit of this is that you can further lock down your admin account as you no longer need to constantly access it for docker management. The downside is that the compromise of any account in the "docker-users" group could result in a compromise of your whole docker environment.
In the case where you are the only one using your PC, then it doesn't have much impact because if someone were to compromise your account, you would have bigger issues anyway. In shared computer environments, you may have some select users with the privilege to use docker, but allowing all user would significantly increase your attack surface, and allowing no users would mean you have to provide each user that requires access to docker with a privileged account.
I'm trying to setup AD in my office and I'm facing problem with 'allowing remote desktop'.
We have more than 50 employees and we need to provide computers to each of them.
It's easy to allow all users(or groups) to each computers, but I have no idea how to configure GPO to allow certain user to certain computer which has to be applied to 50 individual computer.
For example, If I just wanted to allow more than a single user could logon to a single computer, I could do like this.
Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups > Add group to Remote Desktop Users(Built-in)
But in my case, I have to allow only one user to each computers.
Do I have to create more than 50 policy objects with same configuration only but different users?
This seems way too inefficient to me.
Is there anything I can try? Plz help me.
in AD, under the tab "Account" there is a button "log on to..." where you can specify the computer that a user can logon to.
I would need to restrict the deletion of a record for system administrator without using any custom code (like javascript, plugin). Can someone please suggest me the possible approaches for this.
I assume you just want to restrict deleting with no condition to check. There seems no logic in this scenario, why would anybody need this to be implemented that too for System Administrator.
Well if it is your ultimate goal then this could be done with below steps,
Create Workflow on delete trigger.
Create step as "Stop Workflow"
Set Status as "Canceled"
Save and Activate the workflow
You can set the custom Message in step parameter "Status Message". This will be visible while deleting a record.
You can't change the system administrator role out of the box. I would suggest the following approach:
Copy the System Administrator role (e.g. System Manager), but remove delete permissions.
Give users your copied System Manager role.
Remove System Administrator role from all but 1 user.
I'm pretty sure there has to be at least 1 account with system administrator role, but at least this way you can restrict delete permissions.
Seriously the problem is not the delete privilege in System Admin role. It’s the problem with system implementation, and power users who don’t know the real power they possess. First of all, System Admin/Customizer should not be given to end users.
Solution is design another Tool admin role(like James said), Assign it & educate the users. Taking out data governance from tool users & keeping it with Dev team is not a good move. If you have Prod support team, then fine.
Learn what different user base needs in day-to-day work, design well like considering user level privileges (they can delete what they create, etc), make use of Dynamics 365 CRM powerful security concepts, approval or layered process with Tool admins or Prod support, even dashboards for junior users, senior users, Audit reports, identifying tool champions for user training & revisiting the security gaps are key steps here.
Also only Read, Append, AppendTo should be given for Master entities (country, state for example), sometimes user will edit/delete the actual data instead of lookup value.
We have several developers, working on the same application (to be deployed on Heroku).
We know they can open separate Heroku accounts, and share the application using "heroku sharing:add".
But is it possible to use a single "team" account? Are there limitations on people logging in simultaneously from different PC's ? Or any other technical reason to avoid it?
Note we're not worried about them overriding each other's deployments, because it's for development (not production), and it's a small team.
Thanks :)
Although you can grant limited access to multiple Heroku accounts, only one "Owner" account has privileges to modify the account configuration.
If more than one person needs to modify your account/app configuration (ie: changing/provisioning add-ons, etc), it's best to create a shared e-mail/password stored in a secure password manager like 1Password. However, this is a hassle and opens up some vulnerability. It may also be against Heroku's TOS, but isn't likely enforced.
I would recommend using multiple accounts for anyone who needs read-only or deploy access. I would limit a shared Owner account to the privileged users who need full access.
Let me state first: I know that any user that wants to run a program (or even log in), has to have access to (probably at least) the Windows system directories and the shared libraries in %ProgramFiles%, but I'd like to be able to access Skype, for example, by running it with an unprivileged user and make sure that it can't access any unnecessary files.
I fear that the only way to do this would be to identify all of the gazillion directories where I store files that I don't want this user to access and then create a new user group that can access these directories, or run Skype and Azureus in a VM.
Is there a better way?
Normally, accounts are members of the Users group at least, which does have access to many things. You could make the account a member of no groups, or the Guests group which is very restrictive.
The real issue is that the program's token (an internal security object that keeps track of what security identities a running process has) will contain the Everyone and Authenticated Users groups, which also have read access to lots of stuff. There is no way to create an account without those groups. You could remove the access that Everyone and Authenticated Users groups have to most everything, but it would be a lot of work to track all those down.
I would say that creating a standard user or guest access account for untrusted programs would be plenty secure enough. To support self-updates and to keep related files in the same place, I suggest you install those programs directly in the profile of the user account they will be running as, e.g. C:\Documents and Settings\skype\Program Files\Skype
If you want to get really fancy, you can use a restricted token to either make the Everyone, Authenticated Users, etc. groups deny only (so they can't grant any access) or create a Restricted SID list. This will be difficult to implement because there are global objects that programs will expect to access that the Everyone group has access to, which is normally a safe choice.
See CreateRestrictedToken Function.
There is also an open-source command line program I created a program for creating restricted tokens and job objects on the fly for that purpose: UlimitNT
Maybe sudown is a solution. It's a sudo-similar (as known from Linux) approach to running as unprivileged user, but having the possibility to promote to an administrative account (with password) when needed.
I suppose you could lock down the machine so the user can solely log on, not even start skype with his rights, but start skype by "run as" with sudown.
Besides using a VM you could look into using a Sandbox. Look at Sandboxie fox an example.
simply use acl apis (samples in msdn)