Hi there! We have some Mattermost server, and noticed that any member (not system admin or team admin, just member) can manage members in the any channel. How we can fix this and allow to manage members only for system admins / team admins?
Are you referring to the “Manage Members” link in the Main Menu or the “Manage Members” link below the Channel Members list in each channel?
Yes. But not only “Manage Members” link, also the fact that each member can remove someone from the channel:
I believe currently the only way to do that is if you have Advanced Permissions enabled (it is an E10 and E20 feature) - more information here: https://docs.mattermost.com/deployment/advanced-permissions.html#system-scheme-e10.
I think this is a bug, isn’t it? According to the documentation only Team Admins and System Admins can manage members. (https://docs.mattermost.com/help/getting-started/managing-members.html)
The “Manage Members” link on your screenshot is different from the “Manage Members link” under Main Menu > Manage Members. The one on your screenshot is specific to channels which is accessible to all users, and the one under Main Menu > Manage Members is specific to Teams and is accessible to Team Admins and System Admins (which the document is referring to). Does this help clarify things? Let me know if I can help clarify it further!
Maaaybe you are right, this is different links. But how do you think, the fact that any member can remove someone from any chat – this is good idea at all? This is a basic delineation of access rights, this should be prohibited to members.
Also, when someone does this, it’s not clear who did it.
Restricting that permission can be done with Advanced Permissions (E10 and E20 feature) - I posted a link to the document with more details on one of my previous messages.
Also, I have passed along your feedback on the System message ("[user] was removed from the channel") to our UX team.
Alright, thank you. We aren’t planning to take E10 and E20 at the moment. But if the devs think it’s normal and that ordinary members may have administrative powers, then at least make sense to show who deleted the user in that system message
To a certain extent, I agree with @0xSheff in terms of having some sort of audit / log entry to show the following information for clarity (public & private channels):
- User(s) who removed other user(s)
- User(s) who gets removed
Quite an important feature to have for Mattermost, even for the Team version.