Don't let "admin" users see all other users in Piwik

[anonymous-matomo-user]

I've made a piwik setup for multiple website accounts, and intergrated it in my CMS system. Also the admin-users are 'added' from my CMS.

When I go to the piwik UsersManager page with admin level permission, I see a list with all the admin accounts from the other websites.

The only connection of these admins to each other is that they are related to me, nothing else, and I would not like to give a clientlist to all my clients ..

I've found an old ticket/request, but still no solution.

I would suggest that this setting could be managed in the config.ini, or as a config databasesetting.

If admin level, dont't show UsersManager.
or
only show admins already connected to that webaccount.
Keywords: UsersManager admin

[mattab]

Thanks for the suggestion!

What was the other ticket you found?

See also slightly related #1568

[anonymous-matomo-user]

I think this ticket (3 years old) would describe the same problem
#2028

#1568 describes a more advanced role system.
Role systems are great, but people are lazy and settings can become complex (why grant admin this option, and not this option - people have to think to much, and mainly use default settings...). And technically it is a lot of development and extra maintenance.

I think the solution for multi website installs can be more simple, by grouping the admin users to an account.

Think of multiple fishponds with groups of fishes, and still be able connect some ponds together...

This way you have the benefits of adding admins, grant admins acces to other accounts etc, like now.

If an admin (A) is connected to site A, and also to site C, D, E every new user /admin added in A,C,D etc will have the same options within this usergroep, because they are related to each other.

But, when admin (B) is not grouped into site A, he will only see users of his own site B.

Only a superadmin can grant admin (B) acces to the group of admin (A) I think with only a extra field like groupid in the acces table, and some adjustments in the code, you can achieve this..

I hope I explain my idea correctly

[mattab]

I think we could add a new config setting to accommodate this use case. Please comment here if you are experiencing this issue!

[carlocarma]

We are experiencing the issue. We have more than 200 users in our piwik installation. Some of our users wanted to create and manage goals. We had to grant them admin privileges on their user account for their own website. The problem is that they can see all other users created in piwik installation. Is there any workaround?

[desven]

+1
For me, especially what carlocarma described is a problem. I want my users to setup goals but they should not see the other stuff, an admin can see.

[ricardo777]

Also +1 we also experiencing this problem. Have checked the config for an option but still not in it.

A bit of a shame if you ask me that this feature is lacking.

[simpleuser99]

I also experiencing the problem with piwik. I want that my users to make setup goals but they shouldn`t see the other users. How can i resolve my problem?

[mattab]

another request for this feature from email:

Why does an user with 'admin' privileges see all users on a Piwik instance - including one with 'super admin' privileges?
It would be more appropriate that the (site) 'admin' user in Piwik could add extra users only for his website and grant them required permissions ('view' or 'admin').

Explanation:
At the moment we can have multiple websites tracked inside one Piwik instance. Let's say for example we have three (3) of them.
We have one user which is Piwik administrator, so we assign him a 'super user' role.
Each site has for example two (2) web analyst. If we don't want to bother a Piwik administrator with management of users with 'view' permissions for every site, we need a user with 'admin' privileges for every site we track inside one Piwik instance .
So far, so good ... we can do that and set up three different user accouns with 'admin' role - one for every website.
The problem is, that every user with 'admin' privileges sees all users which are configured inside one Piwik instance - including one with 'super admin' privileges.
And that is not ok. We need more "granular" privilege system which would allow a 'site admin' to manage only users for his website on his own - without interfering with users of other website inside the same Piwik instance.

[mattab]

Note:

• The main reason that "Admin" users can see other users, is because "Admin" have permission to grant other users "View" or "admin" permission on any of the website for which they are admin.
  • we probably would need to remove this feature if we wanted to hide other users in the Piwik for a "admin" user

[mattab]

Proposed solution:

• As a user with admin permission on one or more website, I want to assign view or admin permission to another existing user in Piwik. Clicking on Administration > Users > Manage access, for the website I have admin permission, users with some view or admin access are listed (Super Users and users without access are not listed).
  • below the table is a + icon with text: Invite a user to view reports for $websiteName
  • on click, an input field username or email is displayed and focused. I can type a username and click "Invite" or so.
    • if user does not exist, error message is displayed eg. User was not found in this Piwik server. You may try again to invite someone using their username or email address.
    • if user exists, user is assigned view permission to the website (or All websites if it was selected in selector).
  • such invited user is now displayed in the list of users who have view access
  • if I want this user to be admin I can then simply click the admin button.

Notes:

• Check that all UsersManager APIs (and possibly others) returning any or all usernames,
  • when a Super User requests API -> will only return all users.
  • when a admin user requests API -> will only return view and admin users for the given website.
  • when a view user requests API or for anonymous user -> should not list any other users

what do you think?

[mattab]

This issue can lead to sensitive data leak (usernames), which is not expected as a Piwik user, because we aim to live to high standards of privacy and engineer products in this way

Moved into 2.15.1 👍

[tsteur]

when a view user requests API or for anonymous user -> should not list any other users

Should return maybe the own user ?

when a admin user requests API -> will only return view and admin users for the given website.

There is often no website given. Possibly we should check for which websites the user has admin access, and return all users that have view or admin access for these websites