Traditionally, Horde only knows two kinds of users: Users with administration flag and users without. The list of admins is a static entry in the horde config file. It’s all or nothing – either a user gets access to all admin functions or to none. At least until recently.
Last October I wrote about a patch for Horde 3 which allows permission-based access to individual admin privileges. This patch has now been ported to Horde 4 and is incorporated in Horde 4.0.6. You can now assign a user the task of managing groups without allowing him to use the permissions admin and grant himself additional privileges. Or you can delegate emergency password resets to a group of trusted people without confusing them with icons like the PHP Shell. Only those admin functions are shown which the user has access to. Another side effect: Even if a user has all admin permissions, he is still not recognised as an admin and won’t be shown things that admins always have to see regardless of their permissions and settings.
In theory, you can now give yourself all admin permissions and safely delete yourself out of the admin list – as long as you have the “configuration” permission, you can always go back and restore without manually editing the conf.php file.
The Administration permissions are handled in the permissions screen just like any other user permissions. They live under the “horde” component. Currently only the “show” flag is actually recognized but this will be expanded later.
Horde Groupware is a great couple of end-user applications with a lot of flexibility. It supports many different sources or backends for retrieving authorized users and putting them into groups which have access to some resources like calendars, address books or inventory lists. Horde includes a GUI for editing users and groups if the backend supports it. The GUI is accessible only to those users which have the global administrator privilege set in the conf.php configuration file. Users with this flag can access all administrative options like the SQL shell, the configuration editor and the permission tree. This is usually not what you want. Administrators want to delegate tedious user and group management to moderators or managers, but they do not want to enable these people to make harmful changes to the general application setup. Even worse, administrator users always see all applications, even those not properly setup for usage. There’s no way to disable that.
To fix this, I have provided a patch against horde 3.3.10 which allows more flexible administration permissions. You can now allow certain users to access only some administration screens like the users screen or the groups screen while not allowing them access to the permissions editor at the same time. These users will be presented only the administrative links which they have access to. Technically, they don’t get the isAdmin flag, so they don’t need to view everything a full administrator can see. I used the horde permissions system to implement access management, after Jan Schneider suggested this move instead of writing a full “account management module”. There is no feedback yet if this patch will make it into mainstream horde3 but I will use it on some horde installations.