SUGGESTION: Multiple Group Assignment for Local Users

Additional features you would like to see added, changed, or removed. This forum isn't just for the Cerberus FTP Server application. Feel free to post suggestions for anything related to Cerberus (the website, this forum, ect.)
Post Reply
smithrw
User
Posts: 18
Joined: Tue Dec 13, 2016 6:46 pm

SUGGESTION: Multiple Group Assignment for Local Users

Post by smithrw » Tue Apr 18, 2017 1:24 pm

I am working on deploying Cerberus in our public facing DMZ. As a result, AD / LDAP is not available. We must use Cerberus Local Users and Groups. I can see no way in the current version of Cerberus to assign a user to multiple groups.

I use groups as definitions for VDs that are consistent against a user base. This keeps the management of individual user VDs extremely simple. I need to be able to extend this as follow:

User A has a dedicated directory assigned to him for his personal use, call it "Home"

Group 1 has 2 VDs assigned that all members will get - "Folder 1A" and "Folder 1B"
Group 2 has 1 VD assigned that all members get - "Folder 2A"

When User A logs in he will see "Home", "Folder 1A", "Folder 1B", and "Folder 2A"

With a small group of users it's not difficult to manage users directly. However, when you have departments that have upwards of 50-75 people or more, managing the VDs via Groups is infinitely easier.

I've searched through the forums and it seems that as far back as 2010 this was being discussed as a possible enhancement but, to date, it doesn't appear to be possible.

If this is in development, is their an ETA? If it's not, it should be fast tracked. This is an extremely useful functionality.

pacman
Senior User
Posts: 187
Joined: Thu Apr 28, 2016 1:54 pm

Re: SUGGESTION: Multiple Group Assignment for Local Users

Post by pacman » Tue Apr 18, 2017 4:54 pm

Yes, it's still not possible to assign a local user to multiple groups.
It is something that is in the development pipeline. We don't have an ETA at this time.

I do agree it would be a helpful feature to have. I will make sure the correct teams see this thread.

Steve.H
User
Posts: 30
Joined: Wed May 04, 2016 7:38 am

Re: SUGGESTION: Multiple Group Assignment for Local Users

Post by Steve.H » Wed Sep 06, 2017 12:00 pm

We are in the same boat as smithrw.

We have been able to work around the limitation so far with occasionally granting additional VDs directly to individual users, but that is becoming more cumbersome as our user base continues to find new opportunities to use the site.

Steve

smithrw
User
Posts: 18
Joined: Tue Dec 13, 2016 6:46 pm

Re: SUGGESTION: Multiple Group Assignment for Local Users

Post by smithrw » Wed Sep 06, 2017 12:42 pm

That's the exact workaround I have to use, Steve. Is there any update from Cerberus as to a product / feature request roadmap?

Steve.H
User
Posts: 30
Joined: Wed May 04, 2016 7:38 am

Re: SUGGESTION: Multiple Group Assignment for Local Users

Post by Steve.H » Wed Sep 06, 2017 12:56 pm

I haven't seen anything in the release notes for 9.x.x :cry:

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Re: SUGGESTION: Multiple Group Assignment for Local Users

Post by Serin » Thu Sep 07, 2017 3:23 pm

Hello Steve,

We haven't added support for multiple groups for native users yet.

There are a few reasons we've been hesitant, and we've detailed those in other posts.

The basic issue is group priority. If we have multiple groups, we can't differentiate which settings are applied to a user unless we do one of two things:

1. Create a group priority system of some sort. This would allow multiple groups and a way to determine which group's IP restrictions, SSH authentication, protocol restrictions, ect, take precedence. We really don't want to do this as it severely complicates things.

2. Create a new class of groups (i.e., secondary groups, or directory-only groups) that only transfer virtual directories to a user, and have some sort of rule in place to de-conflict cases where there are virtual directories in different groups with the same name (which could map to the same underlying location or not, and have different permissions).


The second option is what we've been thinking about doing. We've received many requests for multiple group membership for native users, and it seems directory access is the only thing customers are interested in.


I'll get back to you later this month about the status of groups in 9.0. I'm considering prioritizing it for inclusion this year.

Post Reply