diff --git a/admin_manual/configuration_server/admin_delegation_configuration.rst b/admin_manual/configuration_server/admin_delegation_configuration.rst index 8b87a5c67..564222eca 100644 --- a/admin_manual/configuration_server/admin_delegation_configuration.rst +++ b/admin_manual/configuration_server/admin_delegation_configuration.rst @@ -1,27 +1,44 @@ -===================== -Admin right privilege -===================== +====================================== +Administration privileges (Delegation) +====================================== -By default only members of the admin group can access and edit the admin -settings. It is sometimes needed to give some group of users access to a -setting page while not giving them access to everything. For this you can -use the *Admin right privilege* settings. +Introduction +~~~~~~~~~~~~ -.. note:: - Not every setting pages support this features. This is due to either the - feature not being implemented yet for the specific setting page or due - to possible privilege escalations. +Nextcloud has built-in functionality which permits administrators to delegate authority +to others without granting them full administration privileges (and without making +them a member of the ``admin`` group). -Configuring Admin right privilege -================================= +This administration privilege delegation functionality is supported by many shipped and +ecosystem apps that have their own settings areas under *Administration settings*. -Go to the *Admin right privilege* Admin page, you should be presented -with the list of settings that support this features. +.. note:: If you're an app developer and would like administrators to be able to utilize this + functionality for your app, you need to enable support for delegation of your settings (see + the Developer Manual for specifics). + +.. tip:: Delegation of user management isn't handled here, but through the use of + :doc:`Group Administrators <../configuration_user/user_configuration>`. + +Usage +~~~~~ + +By default only members of the ``admin`` group can access *Administration settings*. You can +create additional user groups (or use existing ones) and then grant these groups access to specific +settings. + +While logged in to an account that is a member of the ``admin`` group, go to +*Administration settings* -> *Administration privilege*. You will be presented with the list of +settings pages and sections, including for any installed apps, that support delegation. .. figure:: images/admin-right.png -By clicking on the combobox, you will be able to choose which user groups -are able to access the selected setting. You can revoke the access at any -time by removing the group from the selection. - +By clicking on the combo box, you will be able to choose which groups are able to access the +selected settings. You can revoke access at any time by removing the group from the selection +(or, if you wish only to revoke access for an individual account, by removing that account from +the configured group). +.. tip:: + Not every settings page or section supports delegation. This is either because delegating + access to that particular settings page would enable privilege escalation (i.e. bypassing + of the limited administration authority) or delegation has not yet been implemented for + that specific settings page or app. diff --git a/admin_manual/configuration_server/images/admin-right.png b/admin_manual/configuration_server/images/admin-right.png index d845b95f1..b0e5215d8 100644 Binary files a/admin_manual/configuration_server/images/admin-right.png and b/admin_manual/configuration_server/images/admin-right.png differ