Managing multiple domains and user access

I have multiple domains on my account and would like to be able to provide users full access to only certain domains while, of course, maintaining my "superuser" access to all domains. In other words, this is for the simple situation where I want to set up a domain for a friend or client and give them pretty much full control of that domain and that domain only.

I figured that this should be easy but after fumbling around in the dreamhost panel and then searching through the forums, I find that it is not at all simple. I would think that this would be a very common need so I would like to pull together folks ideas about the best options for implementing this setup, boil that down, and perhaps request that a simple summary get added to the knowledge base.

From what I've gleamed from the forums, this looks to me to be the best appoach:
* Create a new user first and then create the new domain under that user.
* Give that user administrative privileges for their domain.

The main downside I see for this approach is that there is no easy way for me to have "superuser" access to this users domain.

The approaches I've seen for giving user access to one of the domains under my user do not look very promising to me. For one, there is no simple way to give them ftp and shell access to just that domain. I guess I could give them administrative access to that domain by giving them an email address and then giving administrative privileges to that email address for that domain.

Other ideas? Remember, one of my goals is to keep the set up as simple as possile.

I've only messed with this a little, but here's my (possibly wrong) impression.

Good luck improving the kbase, btw. Confusing factors include the multiple "user" categories: (1) WebIDs and privileges, and (2) UserIDs and permissions (including groups). I've had some success just setting up separate UserIDs and user groups under my main WebID, with "shared" files/directories being in a group having more than one user.

Naturally, DH benefits most if your friend(s) get their own independent hosting account(s) (WebIDs), and increase DH's revenue, rather than just making a side deal with you to rent out a piece of your space. Then, if your friend wants your help, they can just give you their user account temporarily, or create another user for you, and they take the security risk. Of course, in that case you also get a referral and 10% of the friends' payments (and 5% of their friends'). :-) If they don't want or can't handle that, then maybe they should just pay you to do the whole thing anyway. Creating a limited user for them, without admin panel privileges seems like another good way, which should limit them to one domain, but then they can't create email aliases, etc..

In reply to:
For one, there is no simple way to give them ftp and shell access to just that domain.

It seems that if you have a user account, you can look at whatever you can find, but you can't change anything unless you own it (or are in the group with write permission, which you won't have with consistent 755 permissions...).

Good luck,

BobS

> I would think that this would be a very common need ...

Oh yes, count me in. :) I too THOUGHT it would be quite logical to assume this super-user/sub-user configuration but was actually told that "nested permissions" were at least not encouraged. Really confused.

Amen, at least from my perspective as web-grunt for a nonprofit. Public sites, member sites, forums, gallery, directories, and so on...I see no practical way to share or delegate responsibilities. I was able to set up a single user to co-update a single page -- and that relies on a third-party file manager (and all the lovely 777 permissions those seem to require).

In reply to:
From what I've gleamed from the forums, this looks to me to be the best appoach:
* Create a new user first and then create the new domain under that user.
* Give that user administrative privileges for their domain.

This is already pointed out in other replies, but ...

In order to give someone administrative privileges, they need a Web ID, which is not the same as the user id for ftp/shell/mail etc.

There is no "superuser" available. You would need to login as the ftp/shell user in question in order to manage their files, etc. You can use the web panel to retreve their ftp/shell user details.

Also, when creating a user, they get their own mailbox. In order for that mailbox to be set up for the domain for that user,
1. create the domain first
2. create the user
3. edit the domain to be located in the user directory instead of yours

Otherwise when creating the user, his mailbox would be tied to a domain that existed before theirs.

cool Perl / MySQL / HTML+CSS

> ... "nested permissions" were at least not encouraged. Really confused.

May I elaborate a bit here: when you create a new user under one of your domains, your control of that domain will then be lost. This doesn't sound very logical I must say. In other words, you can only "give away" control but not "delegate" it; and this alone is in itself so different from what we have all learned about management and organization.

Managing multiple domains and user access