Oct 2021
10 / 10
Oct 2021
Oct 2021
J_Roeleveld
Oct '21
1

Hi,

I just upgraded rocketchat to the latest version (was limited to 3.15.0 previously) and my user account did not have access to the admin-pages inside rocketchat.

As I do have a “backup” admin user configured, I was able to fix this by granting “admin” role to my own user inside rocketchat.
I did, however, notice the following line in the rocketchat window while logged in using the native admin account:

Please notice that after the next release (4.0) advanced functionalities of LDAP, SAML, and Custom Oauth will be available only in Enterprise Edition and Gold plan. Check the official announcement for more info: https://go.rocket.chat/i/authentication-changes

Checking further into this, I noticed the following changed when using OpenID and the community version is missing these features:

  • Assign Rocket.Chat roles based on OAuth roles
  • Join channels automatically based on OAuth roles

Is this something that can be resolved easily? Or do I need to assign the roles manually in rocket-chat per user?

Many thanks,

Joost

  • created

    Oct '21

  • last reply

    Oct '21
  • 9

    replies

  • 1.4k

    views

  • 3

    users

  • 7

    links

  • 4
StefanUEGroupware GmbH
Oct '21

Hi Joost.

But that was the case before, wasn’t it?

A RC “local” user?

Some more Information about this:

Recording for the discussion with Rocket.Chat’s community around the upcoming changes to Rocket.Chat’s identity management integrations:

Community Open Call September: Upcoming Changes to Identity Management Integrations

The topic in there forum:

Release Notes:


Speziell:

We “inject” the OAuth connection into the Rocket.Chat DB during installation. Also works with 4.0.0 installation :slight_smile:

I have just tested an upgrade from 3.15.x to 4.0.5 again. I (EGw admin, first RC user) can also open the administration from the menu in 4.0.5.

I also added a user to the admin group in an old installation with RC3.15 and looked it up:
He does not automatically get admin rights in RC.

So my question again: Was it really different with a (your) 3.15?

Stefan

J_Roeleveld
Oct '21

Stefan,

Quick answer:
In 3.15, a EGW-user in the EGW-Admin-group had admin-rights.
In 4.0.5, a EGW-user in the EGW-Admin-group does NOT get admin-rights automatically

My “backup” user is a RC-local user. Without that, I would not have had access to the admin-pages at all.


Joost

StefanUEGroupware GmbH
Oct '21

That’s exactly what I can’t reproduce in my installation.

Perhaps @RalfBecker can say something about this.

Stefan

J_Roeleveld
Oct '21

Strange.
I am 100% certain my user had access to the admin pages in RC.
After the update, I no longer had access.

Only other thing I can think of (but can no longer confirm) is that my EGW-user was part of the RC-admin role and the upgrade removed that.

StefanUEGroupware GmbH
Oct '21

Did you have a Backup/Image from bevore upgrade to check?

Stefan

J_Roeleveld
Oct '21

Sorry, not of the RC-database.

Let’s close this and put it down to some weird config-difference on my end?

StefanUEGroupware GmbH
Oct '21

I would quite like to know if the admin group members can/should/must also automatically be RC admins. Maybe that’s exactly what doesn’t work for me and you actually no longer have the function with RC4.

But it’s actually @RalfBecker turn to say something about it.

Please leave it open.

Stefan

RalfBeckerEGroupware GmbH
Oct '21

There is a RC feature which should exactly allow that: role sync

Unfortunately it’s broken since years, if you enable it and talk to the RC API with OAuth, all roles get removed:

So far I was not successful in get RC to have a look at that bug :frowning:

Ralf

J_Roeleveld
Oct '21

Guess it was working when I initially configured it and only at the latest upgrade the role-assignment disappeared…
Oh well, manually fixing it using the RC-admin user fixed it for me