How do you restrict access to Admin Panel for normal users?

user00563
user00563 Member
edited March 2023 in Datasets

I noticed today that ANY user in Domo can access the admin panel - how do you restrict this? As far as I can tell there are no options for restricting this in either by roles or groups, and there's nothing available on admin/security options either. These end users are able to see the full list of other users setup in the system, what permissions roles have and who is assigned to them, as well as all group information.

 

They can also see and edit what cards and pages are available to other users, and can see ALL cards and pages setup in the system if they go to a user profile and click the 'Add page or card' link. This is a major security concern for me, have I missed a setting that lets me stop this??

Comments

  • https://knowledge.domo.com/Administer/Controlling_Access_in_Domo/04Security_Role_Reference#:~:text=The%20various%20default%20security%20roles,security%20roles%20available%20in%20Domo.

     

    It is possible to enable custom roles so you can make and manage a bespoke set of grants, talk to your CSM for details.

    Jae Wilson
    Check out my 🎥 Domo Training YouTube Channel 👨‍💻

    **Say "Thanks" by clicking the ❤️ in the post that helped you.
    **Please mark the post that solves your problem by clicking on "Accept as Solution"
  • If you change their role to Participant, which is one of the five built-in roles, they will not have access to the admin center. Any other higher role (Editor, Privileged, or Admin) will have access to parts of the admin center. If the other capabilities that go along with the Participant role are too restricting, you would need to look into custom roles. 

    **Check out my Domo Tips & Tricks Videos

    **Make sure to <3 any users posts that helped you.
    **Please mark as accepted the ones who solved your issue.
  • After setting up several custom roles, it seems like granting role access for a user to edit a card or page is what provides access to the Admin center. Are there any options for letting a user edit specific cards without being able to access and view other user's information in the admin center? This doesn't look like an option on setting up role grants for some reason

  • I think you need to be clear about what you're trying to restrict.

     

    Assume EVERYONE can access a tab called 'admin.'  But not everyone can see the same options / do the same things in the admin tab.

     

    So, what exactly are you trying to limit? You describe several unrelated things...

    Jae Wilson
    Check out my 🎥 Domo Training YouTube Channel 👨‍💻

    **Say "Thanks" by clicking the ❤️ in the post that helped you.
    **Please mark the post that solves your problem by clicking on "Accept as Solution"
  • I want to have a custom role that allows users to edit cards and pages, but not access the admin center. I do not want them to access the admin panel because they are able to see all other active users, what pages and cards each active user has access to, all roles setup in the system along with grants/permissions for each role, and all groups currently setup. I cannot find a way to setup a user with a basic restriction to admin center while still being able to edit a card. I have setup several roles based on the Participant default, which does limit the access to admin, but as soon as I add the edit ability for cards then that admin center access is present. I don't understand why there isn't an option to allow/disallow this access based on role grants.

  • @user00563  ... please reread previous comments and revisit the previously linked KB article.

     

    https://knowledge.domo.com/Administer/Controlling_Access_in_Domo/04Security_Role_Reference#:~:text=The%20various%20default%20security%20roles,security%20roles%20available%20in%20Domo.

     

    Construct your grants based on what you want people to be able to do / restrict, and then find 'the right tool for the job' to cover any gaps.

     

    I get this sense that ... you object to users having access to something called 'admin.'  Imagine that it wasn't called 'Admin' b/c frankly, the name of the tab doesn't matter!  If users have (for example) the ability to delete a page, that's handled in the Admin tab...  Does that actually make them 'an admin...' not really.

     

    Instead of worrying about a tab, tackle each objection and ask 'is there a tool for the job'.

    It doesn't matter who can see the name of a dashboard or card.  If the data is properly controlled via PDP, then it doesn't matter who can see the name of an object in Domo.  If you haven't implemented PDP ... that's a different conversation but there is a tool for the job!

     

    Similarly, you can't really stop people from seeing other users in the instance.  That's counter to what Domo was designed to do.  That said, if you're concerned about that, consider Publication Groups or using a Domo Publish model to forcibly compartmentalize users.

    I encourage you to articulate what you want to control and then use the right tools for that job.

     

    There are some granular features that can be disabled, for example Business in a Box.  But I recommend that your first step be, understanding what you can control with custom roles And then talk to your CSM about Feature Switches.

    Jae Wilson
    Check out my 🎥 Domo Training YouTube Channel 👨‍💻

    **Say "Thanks" by clicking the ❤️ in the post that helped you.
    **Please mark the post that solves your problem by clicking on "Accept as Solution"
  • Admin Center Access.PNG

    I want to let basic users be able to edit a card, but not access this menu, circled in red. Accessing the menu shows other user information, which I want to restrict. The document linked says that this access is only limited on the Participant role, which has view only access and does not let you edit cards. There are no role grant settings to allow or restrict access to the admin menu, circled in red. I have users with sensitive information, and I do not want other users knowing who has access to that information. From what you're saying, it doesn't sound like there's any way to do this, because user information, under the Admin -> People heading, is not restricted by publication groups or PDP settings because those are focused on data, not system access. It sounds like we are talking about 2 different things here...

  • Wondering if there's any way to tackle this. It seems this Admin view is granted when cards and data access are given.