[User Management] Disable a User #12601
Comments
LukasReschke
changed the title
|
@MorrisJobke @craigpg FYI |
|
As this seems to be work in progress already it might not be too late to add that it would be at least as useful as to be able to do the same with groups. I.e., i have a group of >50 users. Back then, when the group was smaller (~6), I changed the pw for every user/login, so data won't get changed, while investigating some issue. Of course after the first time changing and reverting passwords I created sql queries to change and revert the passwords. This still is not only inconvenient - it also does not instantly apply its purpose, as the users still have a working auth session. So I additionally have to restart the webserver to ensure everybody is "locked out". Really would appreciate to be able to use this feature. |
|
well - your situation can be best handled with the single-user-mode which can be set via the console |
Thank you very much for pointing that out. For every client I have an account (company users) which is used for calendar sync only. I - in addition - have another account, which contains all shared client's calendars (company admin). |
|
Thinking about having removed a user without removing its data, how would you manage that after then? One would probably need a way to access this “orphaned data”, either to remove it or to re-attribute it to another account to manage… (just some thoughts about real life problems ;-) ) |
|
I am highly disappointed that this seemingly basic feature has been pushed to the backlog to be forgotten about. Every single enterprise system or software package that offers user accounts offers a way to disable those user accounts. My company has been waiting for this feature for months/years. If Microsoft, of all companies, can let you disable users you'd think the swift development of OSS could do the same. |
You're welcome to contribute this feature swiftly. Thanks 😄 |
|
I would love to contribute this feature, however the almighty ownCloud gods are working their black magic. Maybe some other eyes can see what I can't. I edited the user array that gets sent to the template that displays the whole user list when logged in as admin so it contains a new element, uidEnabled. The backend code for disabling a user is already there, you just need a row in oc_preferences for uid,core,enabled,false. That works if manually entered, my account can no longer login. My problems start when attempting to use that field in the template. I verified that in the template (settings/templates/users/part.userlist.php) it can see my new field. I printed it to a file to ensure that for my account core,enabled->false. It's there. What I'm attempting to do is put a checkbox to the left of each user that is checked if the account is enabled (core,enabled->true, which is the default return from the getValue function because ownCloud doesn't put the core,enabled->true db row for any users) and unchecked when the account is disabled (core,enabled->false). The black magic is that the foreach loop that supposedly goes through all users to produce the list on the screen seems to jump around. It always showed my account as being enabled even though it's not. Here is what my list looks like now (just for my user):
When I saw that the checkbox was checked and it shouldn't be, I manually printed out $user["displayName"] to make sure it was working on my user (which, if the foreach was acting the way it should the $user array shouldn't have access to any other info at that point). Instead of printing my displayName, it printed "admin". This is also confirmed by looking at the HTML. Each TR should be labelled with the user account shown in that row, however for me I'm seeing "admin" as the user for about half of the rows.
You can see that the TR has admin's displayName and not mine like it should. My initial assumption is that whatever AJAX is building the screen is breaking this, but at this point I'm not sure. I'm just annoyed. |
|
00003501 |
|
What a wonderful boondoggle. You've all been talking about this for 2 years. I've been USING THIS FEATURE for 2 years in ownCloud 6 and 7 and is the reason I have not upgraded my users to 8 and 9. And yet you guys have discussed it to death. HR and most enterprises work in LDAP. That means that permissions are controlled by group policy. Group policy implies group membership When a user is disabled, they are attached to a group that specifically designed to have no permissions. In our case, that group should fail all login attempts. The issue here is three-fold which have not been thought through at the enterprise level - and yes - there is a DEMAND for this solution - you just can't hear us roar because we've got laryngitis from shouting.
So for everyone that has read this far, this is how I solved in 7.0 and I am still trying to figure out how to solve it in 9.x.
Now, the preferred way would be to do this with groups, and a pre-login hook and settings in the admin screen. I did try but for the problems mentioned above, was not worth the work. In the interim, this just works. It's just not persistent-across upgrades, so I have to recreate the solution each time. But MY maintenance debt up until v8 was low. Recommendation: fix the ownCloud pre-event emits to expect values first that decide whether the pre-event requested failure and the rest becomes child's play. |
|
Fixed with 9.1 |
|
Can you please provide clarity on what the fix was? Do we have a feature for this or is the 9.1 event system better at recognizing pre-event fires triggering "fail" conditions? A little clarity goes a long way to how we handle things going forward. Thank you in advance. |
In 9.1 a user can now properly be disabled using an occ command. A disabled user can no longer log in and session information is properly purged. |
|
Are the users files preserved? If not, then this is still going to create Does disabled affect any other aspects other than login? On Thu, Aug 25, 2016 at 10:01 AM, Thomas Müller [email protected]
|
|
Wait - what? It is a manual OS command to disable a user? This is then only an interim solution as it treats this change as an Admins can only interact with the application through the application On a regular basis, I have 5-50 users that are no longer allowed access per Please do not mark this as complete if the only solution is a command line Also, is the "disabling" logged? For HR purposes at the enterprise level, Thanks! On Thu, Aug 25, 2016 at 10:04 AM, Shamim Islam [email protected]
|
|
... and there is a provisioning api call to disable a user @carlaschroder we need to document this call 😉 |
|
I am with @ShamimIslam. The only way this should be marked as Closed is when a GUI option is present that an admin can click to disable/enable a user. Adding the backend code, while obviously necessary, does not solve anyone's problem as only a select few people have access to run such commands. This needs to be a GUI option, perhaps a checkbox or a button that toggles a user's enabledness. |
|
Does the "disabling" retain all the users content? Just making sure. Does the "disabling" record an audit trail (as well as the "enabling"?) A checkbox might be too easy but I agree with the GUI approach. On Thu, Aug 25, 2016 at 10:16 AM, Thomas Müller [email protected]
|
|
@slonkak @ShamimIslam pull requests are welcome to integrate this into the ui.
there is no auditing in the community edition
disabling is not deleting - any content will remain |
|
One last question and this may be the wrong thread to ask this on. Is there On Thu, Aug 25, 2016 at 10:43 AM, Thomas Müller [email protected]
|
|
Or does a disabled users shares remain shared at least? On Thu, Aug 25, 2016 at 11:49 AM, Shamim Islam [email protected]
|
|
@ShamimIslam This might help: |
@slonkak @ShamimIslam All contributions are accepted, do you want to implement it? |
|
That depends. Do we now have a skeleton app that contains basic files as In the past, it was very trial and error, and it was very time consuming to It's not obvioius where you guys want to trigger things on the front end If we had a clear skeleton that could move basic data from the front to the The logic is not the hard part. Fitting it into the framework correctly is On Mon, Aug 29, 2016 at 3:25 PM, Carlos Damken [email protected]
|
|
I will look at file:trasnfer-ownershp. Thank you. On Mon, Aug 29, 2016 at 3:24 PM, Michael Stingl [email protected]
|
@ShamimIslam You are correct. If you read farther back in this thread I did try to implement such a feature to no avail. After looking through the code (I've had to modify this app to add in HIPAA audit trails for my employer) it seems that the authors wrote it in such a way that only they are meant to modify it. I can't make heads or tails of most of it. |
Great! 👍 |
|
@Slonak I had the same experience EXCEPT that in ownCloud 5, I was able to But the only other problem to upgrading to 9 is that restricted_access is a Let's see what happens next. Maybe someone will post an updated skeleton On Tue, Aug 30, 2016 at 8:43 AM, Kevin J. Slonka, Sc.D. <
|
|
@ShamimIslam I think this GitHub issue isn't the right place for this discussion. I would suggest using https://central.owncloud.org/ instead… (should be back in a few minutes) |
|
Apologies. Will move discussion as requested. When I get a chance. On Wed, Aug 31, 2016 at 5:19 AM, Michael Stingl [email protected]
|
|
GUI checkbox for enabling/disabling in the users page will be released in 10.0, thanks to @AlexLaroche for implementing it in #27333 |
|
Note, the checkbox is hidden by default like other columns and need to be enabled by going to the cog icon on the bottom left. Once the column is enabled it will stay visible for that user. (user preference about visible columns) |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
As an admin, I want to be able to disable a user in ownCloud, so that this user can no longer access ownCloud. Later, I may want to enable the user, or delete the user, depending on the situation.
Acceptance Criteria:
When you have a user and hit the x button, the system asks if you want to 1) disable or 2) delete the user, with a check box to add that their data should also be permanently deleted.
Local and external auth (LDAP / AD / SAML, etc) users can be disabled
Remarks by Engineering:
Depends upon #12593
The text was updated successfully, but these errors were encountered: