Upcoming Permissions changes: Schemes, Roles, Guest Accounts, Channel Permissions


#1

Mattermost has been working on some powerful updates to the permissions system based on requests from our community and customers. Beginning in v5.0, shipping June 16th, we will begin to roll out new permissions features.

Why the change?

Since the introduction of the Policy page in the System Console (Available in E10, E20), we have received requests for more granular control over the permissions in Mattermost. The best way to accomplish these requests was an extensive overhaul of the permissions system to use a modified version of RBAC (role-based access control), that will offer Admins full control over assigning permissions to specific roles in teams and channels, or the entire system.

What features does the new permissions system support?

  • Team Schemes (Available in E20 with v5.0): This interface will allow Admins to define the default set of permissions for the system and then override the defaults in specific teams, if required. Permissions manageable with schemes will including,
    • Team management: Restrict creation and managing team member permissions
    • Public and Private Channel management: Restrict create, delete, renaming, and managing member permissions.
    • Post management: Restrict editing, deleting and reaction permissions.
    • Integrations and Customizations: Restrict permissions to manage OAuth apps, slash commands, webhooks and custom emoji.
  • Guest Accounts (Available in E10, E20): Users who only have access to specific channels and direct messages with a limited set of team members.
  • Channels Permissions (Available in E20): Allows Admins to edit permissions within specific channels. Permissions under consideration for this phase include:
    • Read-only Channels: The ability for Admins to turn off posting in specified channels.
    • Restrict Channel Mentions: Turn off the ability for users to post channel wide mentions (@-all/channel/here) in specified channels.
    • Channel member management: Restricting adding and removing channel members to Admins only in specified channels.
  • Supplementary Roles (Available in E20): Allows Admins to grant additional permissions to specific users, or to a group of users based on AD/LDAP group membership.

When will the permission features be available?

We are rolling out the permissions updates in phases over multiple releases. Our anticipated timeline is:

  • Phase 1 (v4.9, April 2018): Backend work already implemented. No visible changes for end users or Admins.
  • Phase 2 (v5.0, June 2018): Permission Schemes.
  • Phase 3 (Q4 2018): Channel Permissions and Guest Accounts.
  • Phase 4 (Q1 2019): Supplementary Roles to grant individuals extra permissions.
  • Phase 5 (TBD): Supplementary Roles that can be synced with and granted to AD/LDAP groups.

What should I expect with the upgrade to v5.0?

After upgrading to v5.0, the jobs server must run a migration script before you can access the new scheme functionality. Once the migration is complete, you can access and edit the System Console > Permissions Schemes page. For all Enterprise servers, permission settings previously defined in the System Console > Policy page, along with various other permissions settings in the System Console (including team creation, restricting managing integrations to Admins, and restrict custom emoji creation), have been moved to the Permissions Schemes page.

We highly recommend backing up your database and enabling the jobs server before upgrading to v5.0.

Are there any changes to Team Edition?

Team Edition servers will see no changes from the permissions updates. However, Mattermost server v5.0 brings other exciting updates including Gfycat GIF picker, support for longer posts, combined join and leave system messages, and much more.

Where can I offer feedback or additional requests for permissions changes?

We would love to hear feedback in the comments or you can join us in the Advanced Permissions channel on pre-release, our nightly build server. For Admins who are interested in getting a preview of the upcoming permissions user interface, we are looking for candidates for user testing.