Web Gui access for non root user to manage users and groups only

Can a non root/non admin user login to TrueNAS Scale(Electric Eel) webgui to only manage users and groups and nothing else ?? Is this possible ??

No, for a fairly obvious reason. If a someone can manage users and groups they can create a new user that’s a member of a group with full admin access to the UI (or make themselves members of a group with full access to the UI). It’s trivially easy to escalate privileges once you can manage accounts.

That said, if for some reason other than robust access controls you want to do such a thing, you could in theory create a privilege that grants READONLY_ADMIN + ACCOUNT_WRITE privileges. There’s UI support for this. As I said though, don’t rely on this in any way to protect you. Once a person has full access to rewrite accounts, they basically own the box.

TL;DR, ability to make arbitrary account changes is de-facto root-level access.

Thanks for the quick reply. I was just thinking if a regular user could have rights to only create other regular users and not someone with admin/root privileges. I don’t know how the code works. Just a wild guess.

No. If you need this level of control for accounts, it’s generally better to use a centralized identity management solution like AD.

Thank you soo much for the clarity :slight_smile: