RFE: True View-Only WebCFG options
Currently pfSense allows a number of options for WebCfg Status pages to grant access to (e.g. Captive Portal, load, Gateways, Services, Dashboard, etc). While these status pages allow the user to view status, they also appear to allow the user to do things like stop and restart services, make changes to the configured Dashboard (add/remove items as well as stop/start/restart services), disable/delete active captive portal sessions, etc.
Would be very helpful to have the option to define a true view-only class of access which completely removes any access to stop/start/restart of services, editing of Dashboard objects, etc. The goal in mind would be create a view-only environment to hand off to NOC/SOC teams.
Updated by Nicholas Gold about 3 years ago
Joshua Sign wrote:
maybe this can help you : https://redmine.pfsense.org/issues/9252#note-1
Joshua, Thanks for the suggestion!
I did attempt to lock it down with the "Deny Config Write" permission, with mixed but mostly negative results.
- Additions or removals of widgets - Clicking a [+] for new widget or [X] to remove existing widget results in a page refresh with no change to Dashboard: Pass
- Stopping/Starting/Restarting a service via Services Widget - Clicking any option next to any service allowed the user to affect the service: Fail
Status > Services:
- Stopping/Starting/Restarting Service - Clicking any option next to any service allowed the user to affect the service: Fail
Updated by Jim Pingle about 3 years ago
Starting and stopping services are not config writes, they are state changes. The "Deny Config Write" privilege does exactly what it was designed to do, nothing more.
There is not currently a privilege that will deny a user from performing actions.