Hi, I am testing out the Team Control Extension. I don’t think its working properly:
I have created a new user role with certain permissions. They should not be able to access the WP-Admin but the button on the bottom left of the screen is still there and they can access the wp-admin.
Inside the WP-Admin when I am logged in as this user that is meant to have account restrictions I cant change the user role in the WP-Admin for this current user BUT I can change user roles for other users (such as the main site’s admin account).
It does look like the some other settings in the Dashboard are working ok, such as limiting plugin changes (disabling and deleting).
I have disabled backup deleting and restoring for the user but they still seem to be able to delete the backups (im using updraftplus).
Please let me know what i’m doing wrong here. Also when a user logs in to the wp-admin is there a way to bypass the wp-admin and send them directly to the dashboard? Having access to the wp-admin is not ideal for security reasons for certain user roles.
The Team Control extension is specifically designed to mange permission only inside MainWP Dashboard interface. It is not designed to manage permissions in WP Admin. For something like this, you will need to install additional role/permissions tools and update the newly created role.
But it should prevent a dashboard user from accessing the WP-Admin if I have enabled this option right? At the moment even with the option to disable WP-Admin access the new user can still access the WP-Admin and can change the site administrator’s role, this is a huge security issue. The weird thing is though that they cannot change their own role from within the WP-Admin user settings… Let me know if I am not understanding this right.
This specific permission doesn’t refer to WP Admin of your Dashboard site, this refers to WP Admin on your Child sites. To be precise, if this permission is not allowed, your team members, won’t be able to use the Jump To WP Admin link:
On this note though @bogdan how hard would it be to add an option in the Team Control extension to remove any button/link to the Dashboards WP-Admin for specific user roles? Essentially removing the button from the bottom of the left menu to access the WP-Admin (and anywhere else a link to the dashboard is shown). This would give me the confidence that any user I add to my MainWP with that specific role will be limted to accessing the MainWP Dashboard only and not the WP-Admin?
Please keep in mind that security through obscurity is not recommended. You can remove all the links, but when a users just goes to /wp-admin/ they get to the dashboard after all. So if you want to prevent access, you really need to block it.
Plugins like User Role Editor or Adminimize can probably help you.
