Set permissions
Manage server access permissions for users and groups in Alpacon.
Permission model
Alpacon permissions work at two levels:
1. User roles (Workspace level)
| Role | Permissions |
|---|---|
| User | Access assigned servers, edit own profile |
| Staff | Manage users/groups, some workspace settings |
| Superuser | All permissions, full workspace control |
2. Server access permissions (Group-based)
- Assign groups to servers
- All group members can access the server
- Users can belong to multiple groups
Set user roles
How to change:
- Select user in IAM > Users
- Click Edit
- Change Role
- Click Save
Required permission: Staff or Superuser
Details: Manage users
Configure server access
Access control via groups
Step 1: Create groups
Step 2: Add users to groups
Step 3: Assign groups to servers
Set individual server permissions
- Select server in Servers page
- Click Edit
- Select Assigned groups
- Click Save
All members of selected groups can access the server.
Feature permissions
Websh (Terminal)
Terminal access to servers assigned to group:
- Login as IAM username
- sudo access available
WebFTP (File management)
File upload/download to servers assigned to group:
- Access user home directory
- Access other directories based on permissions
MFA required actions
Configure MFA for these actions in workspace settings:
- Use Websh with root privileges
- Use WebFTP with root privileges
- Execute deploy shell
Configure: Workspace settings - Authentication
Permission examples
Example 1: Development team server access
Group: developers
Members: user1 (User), user2 (User), user3 (Staff)
Servers: dev-server-01, dev-server-02
Assigned groups: developers
Result: user1, user2, user3 all access both serversExample 2: Production server restriction
Group: senior-engineers
Members: user3 (Staff), user4 (Superuser)
Server: prod-server-01
Assigned groups: senior-engineers
Result: Only user3, user4 access production serverPermission inheritance
Multiple group membership:
- If user belongs to groups A and B
- Can access all servers assigned to A and B
Roles and groups:
- Superusers access all servers without group assignment
- Staff access only servers assigned to their groups
Security best practices
Principle of least privilege:
- Grant minimum required permissions
- Regularly review and adjust permissions
Use groups:
- Manage permissions via groups rather than individual users
- Separate groups by environment, project
Limit Superusers:
- Keep Superuser role to minimum
- Grant only to trusted administrators
Audit logs
All permission changes are logged:
- Who changed permissions and when
- Which user/group permissions were changed