Allow Linux groups to be owners for List Accounts
Hello,
Let me start with me describing our initial intent. We host a WHM environment that multiple people log into. These people are have different company roles and only need access to certain services within WHM. As of now, the people that need access to WHM login directly with root. This is what we are trying to avoid.
We found cPanel documentation for adding a WHM reseller account without an associated domain. This works great when giving service functions to accounts, with one exception. We cannot limit which Reseller user can see in regards to specific List Accounts. As of now, we have 2 test accounts in our WHM console, uriah and trent.
Is there a way to create a Linux group, say 'webdev', and add uriah and trent to this group and tie it to certain list accounts?
This is what we have tried:
Manually add a group called webdev and add uriah and trent to this group.
getent group webdev displays: webdev:x:1157:uriah,trent
Manually configure a test list account wildricedirect by doing this:
vi /var/cpanel/users/wildricedirect
Changing OWNER=root to OWNER=webdev
(PLEASE NOTE: the above step worked for me if you just want to change it to a single account, like OWNER=trent but it does not work when working with linux groups.)
Run /usr/local/cpanel/scripts/updateuserdomains
This updates the owner in the list account section for wildricedirect, however the group does not apply to trent or uriah's list accounts section in WHM.
Please feel free to ask me any questions or thoughts to what I am trying to accomplish.
Respectfully,
XXXXXXXXXXXX
========================================================
David Hertenstein
Hello,
Thank you for contacting us today! I apologize for the delay in our response as we are working through an elevated ticket load at this time.
While cPanel does use the system-level users for authentication and integration with the base OS, the definition of a Reseller user is exclusive to cPanel and does not use the Linux user/group system to accomplish this.
In order for an account to be displayed in the "List Accounts" for a Reseller user, the user must be the cPanel account's owner. This is why you are able to change the OWNER in the userdata to the "trent" user, and the account began to display in this user's List Accounts tool. However, an account can only be owned by a single reseller user, meaning you would only be able to set this accounts owner to one of the reseller accounts you created.
There is currently no alternative at this time to provide a Reseller that is able to list specific accounts such as this, or have multiple resellers list the same accounts. If this is a feature you would like to have implemented, I recommend submitting a Feature Request. The following provides information on this: How to submit a feature request
As a potential solution, it would be possible to instead have a single "webdev" Reseller user that is assigned as the owner of the accounts they manage. These users would still be able to access WHM as this user, and the features within WHM can be limited to the features that they require.
I also recommend the following article for information on changing an account's owner in WHM, as this is the recommended way to perform this action: How to change the reseller ownership of one or many accounts
I am confident the knowledge shared in the above article will guide you towards solving the issue you have outlined in this request. Would you please review the article and let me know if you have any outstanding questions or concerns? It’s been a pleasure working with you on this issue, and I hope you are satisfied with the experience!
Regards,
David Hertenstein
Linux Technical Analyst I
cPanel, L.L.C.
You can help us provide you with rapid and accurate support by sharing step-by-step instructions to replicate the issue.
I like this idea 
cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.
Jeremiah,
Thanks for the feedback. Before I speak too much to your offered solution, I'm trying to get to the root of the issue here and the more I'm reading this, it seems like you'd like the ability to have multiple logins that can access select number of accounts for management purposes.
WHM Admin A can access trent and uriah in list accounts
WHM Admin B can access uriah only in list accounts
Does that sound right?
Jeremiah,
Thanks for the feedback. Before I speak too much to your offered solution, I'm trying to get to the root of the issue here and the more I'm reading this, it seems like you'd like the ability to have multiple logins that can access select number of accounts for management purposes.
WHM Admin A can access trent and uriah in list accounts
WHM Admin B can access uriah only in list accounts
Does that sound right?
Correct.
As stated before, there can only be one owner to a list account. We have multiple web developers that only need access to certain list accounts. A majority of these list accounts need to be accessed by multiple people, but not everyone. We don't want multiple people logging into the root account.
Correct.
As stated before, there can only be one owner to a list account. We have multiple web developers that only need access to certain list accounts. A majority of these list accounts need to be accessed by multiple people, but not everyone. We don't want multiple people logging into the root account.
Jeremiah,
Awesome information! So looking at this, I wonder if you're familiar with our external authentication setups? While it isn't specifically designed for it, it allows you to create a specific account (say resellerB), and then you can use one of our many External Authentication (whmcs, slack, paypal, google, facebook, cpanelID, Amazon) providers to do the logging in (or even setup your own OIDC server). While it does require that they have a password at the initial login, it gives you the ability to rotate out that password after you give them initial access, and then they continue to login through that provider in the future. As an example, I setup Google as an authentication provider and was able to login with two separate gmail accounts to the same login. Let me know if this would be a good interim alternative to solve your needs.
Dustin Scherer (he/him) | Product Owner | @dustinscherer
Jeremiah,
Awesome information! So looking at this, I wonder if you're familiar with our external authentication setups? While it isn't specifically designed for it, it allows you to create a specific account (say resellerB), and then you can use one of our many External Authentication (whmcs, slack, paypal, google, facebook, cpanelID, Amazon) providers to do the logging in (or even setup your own OIDC server). While it does require that they have a password at the initial login, it gives you the ability to rotate out that password after you give them initial access, and then they continue to login through that provider in the future. As an example, I setup Google as an authentication provider and was able to login with two separate gmail accounts to the same login. Let me know if this would be a good interim alternative to solve your needs.
Dustin Scherer (he/him) | Product Owner | @dustinscherer
Replies have been locked on this page!