Introduction
The extended permissions’ feature, allows you to define custom permissions for your users. This is useful if you want to restrict access to certain resources or actions in RPort, such as creating tunnels only to specific services / ports, forcing the use of a named parameter or allowing only specific commands to be executed.
This can be applied to:
- Restrictions in Tunnels
- Restrictions for Commands
This feature requires two additional columns in the group_details table of your user database:
tunnels_restricted(string) - JSON string with the tunnel restrictionscommands_restricted(string) - JSON string with the command restrictions To create the columns execute:
cat <<EOF|sqlite3 /var/lib/rport/auth.db
ALTER TABLE "group_details" add column "tunnels_restricted" TEXT DEFAULT "{}";
ALTER TABLE "group_details" add column "commands_restricted" TEXT DEFAULT "{}";
EOF
You database file might have a different name or location. If you are using MySQL, change the SQL query accordingly.
If the fields are not present in the database, the entire rport server will not start.
Extended permissions are evaluated after the standard permissions. This means that if a user has the tunnels
permission set to ‘false’ in the standard permissions, they will not be able to create tunnels, even if the extended
permissions allow it.
In a similar way, to inhibit the execution of a command, through a regular permission with the allow / deny sequence,
a user must have the commands permission set to ’true’.
standard permissions take precedence over extended permissions
This documentation page covers the usage of the Extended User Group Permissions feature for admins. It assumes familiarity with rport and related concepts. If you are new to rport, it is recommended to review the general documentation and user guides available for better understanding.