DRAFT: plone_sudo #4068
Labels
Comments
|
@loechel +1 from me. Do you have something in mind like https://github.com/collective/collective.impersonate? We are about to make this add-on compatible with Plone 6 and Volto soon. cc @davisagli |
|
@tisto This is not the same feature as collective.impersonate. collective.impersonate lets a superuser temporarily log in as a different user (for troubleshooting). This PLIP lets a non-superuser temporarily perform some actions as a superuser after completing additional authentication. It's like the feature in Github which prompts for a 2-digit code before performing some admin actions. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
PLIP (Plone Improvement Proposal)
Responsible Persons
Proposer: Alexander Loechel (@loechel)
Seconder:
Abstract
Plone has a set of predefined roles, including a website-adminstrator / admin that has almost full rights on a Plone installation. In larger Plone Setups user-managment is handled via an external Identity Management System and Authentication System, therefor also the Administrator are normaly ussing this SSO-Mechanism and barely use dedicated admin-Accounts.
Plone_sudo aims on downgrade administators to normal users in normal usage of the Plone as a logged-in user navigating and editing content. Access to plone_control_panel and other more security relevant elements should require a privilege elevation with another authentication flow, best with a Multi-Factor-Authentication.
Motivation
Assumptions
Proposal & Implementation
Deliverables
Risks
Participants
The text was updated successfully, but these errors were encountered: