cPanel & WHM Version 114 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Multiple cPanel Logins (cPanel Subusers)

Nathan Lierbo shared this idea 11 years ago
Completed

Support For cPanel Subusers


Small cPanel account owners may want to delegate specific tasks to be performed by somewhat trusted individuals but without full access to the cPanel interface. Reasons for this can include the following hypothetical situations:


- Small Businesses having a secretary, giving the secretary access to just creating and removing email accounts but not to editing the company's website.

- Web Designers that guarantee their work not wanting their hosting customers to re-code their website themselves then accuse the Web Designer of poor coding.

- A Small Business Owner that wants to delegate full access to the cPanel interface to a contractor, but be reliably able to revoke that access in the event that contract is terminated.


The features available to these subusers should be filtered using a utility identical to or very similar to Feature Manager and Feature Lists.


Subusers (which would very likely be virtual users) would have a login of username@domain similar to FTP virtual users and Email virtual users. The ability for matching user capabilities such as SFTP access could eventually be accommodated by features already being worked on like version 11.34's Pluggable Authentication.


Original thread: http://forums.cpanel.net/f145/multiple-cpanel-logins-cpanel-subusers-case-44353-a-77145.html

Best Answer
photo

We have great news!

The full release of the new Manage Team feature is available in cPanel & WHM version 112. This feature allows cPanel account owners to create team user accounts so that multiple people can access, administer, and work on a single cPanel account without the security risk of sharing credentials. Look for more details on our cPanel Community Forums soon!

If you have additional questions, feel free to reach out on one of our social channels.

Replies (120)

photo
10

This is a feature that our customers keep requesting, be it to manage FTP accounts, e-mail accounts or access PhpMyAdmin securly there are lots of cases when this is necessary.

photo
4

Same thing here. It is a very important feature. My only reason to leave my current hosting, I can't outsource the jobs!

photo
7

Another common request is users asking for PHPMyAdmin access. Site owners want to give their developers access here but not the keys to the entire panel. I assume the "feature list" that was proposed should cover this but wanted to mention it anyways.

photo
3

I can't believe this isn't a feature yet. There must be another request somewhere that has more votes than just 1!

photo
6

We use CPanel in an academic environment and having this ability would be a HUGE benefit for departmental users with varying levels of web resource needs. Currently we use RVSkin to achieve this, but the management overhead it adds to CPanel is quite considerable. We would much prefer a CPanel native solution.

photo
4

Any update on when this is likely to be accepted ? The original thread in the forums had huge support over a period of six years so what more is needed to get this accepted ?

photo
2

This is absolutely necessary! I've been using cPanel for every project my company has ever done for 10 years but without this feature I will be switching to other solutions!

photo
2

I think this granular control over user privileges and sub-users of a cpanel user is needed and in the very increasing shared responsibility era this is becoming more common place where delegation of tasks occur but the philosophy of least permissions is still the norm.

photo
5

So this is a feature that have being requested since 2008 and here we are 6 years later still waiting for it.


Are you guys ever going to do it or may you at least tell us NO we will not do it so that we can stop waiting for it?

photo
2

I am VERY much in need of this for the auto-responder feature. It's odd that users can't create an auto-responder without logging on to cPanel. I would love to be able to have a user account they can use that doesn't give them access to everything.

photo
2

Still waiting and wondering why this is not a key feature already ?

photo
4

Even WHMCS has added this feature to their software. It seems like cPanel could start to lag behind on todays trends regarding authentication options if we can't get this feature pushed through soon.

photo
2

It would be a great add-on to have this feature added. Thank you

photo
2

Yes, that's a customer wise feature!

What do you think cPanel?

photo
2

Looking for this sort of feature so I can have multiple developers working on a site via the tools in cPanel.... looks like cPanel can't do this so ill have to go elsewhere....

photo
1

Double post

photo
1

This is one of the top feature requests that we get time and time again from our clients. Would love to see this become available soon (as in, this year).

photo
5

If this feature is added, it's important to also add auditing capability, too. (That is, the ability for cpanel to record/log all activity that is done by the logged-in cpanel user.) Otherwise, we will see no end of customers complaining about sudden changes to their cpanel account, when in fact it was done by one of their own cpanel users...


:)

photo
3

+1 this is essential. Cpanel is one of the only high level management apps out there without users => permissions => action logs. It logs accounts all day long, it should be the same for users. Other than that, its fantastic software. Thanks

photo
1

Agree! desperately need this!

For example, I want to allow a secretary to be able to reset/add/remove email accounts and nothing elsebut then i would like to give cpanel to their webmaster with full access to all features.

photo
2

It's a daily necessary feature...


If the first post is dated 1 year ago... when we can have this feature released?


Thank you

photo
2

I get requests for this from my client base regularly too. My client base doesn't generally need fine-grain controls, but they want to be able to share access. Having fine-grained controls would be icing on the cake.


Would be sweet if a developer could chime in on what the attitude/concerns/enthusiasm level in the developer pool is -- give us some idea if this is likely to get on the roadmap, etc.


Shout out to all the cPanel crew for the great product & all the hard work!

photo
1

We certainly think about this a lot. Ensuring the security of the system makes it a bit of a challenge...but we definitely understand that it's something people want.

photo
3

cPanelAdamF wrote:

We certainly think about this a lot. Ensuring the security of the system makes it a bit of a challenge…but we definitely understand that it's something people want.
No question security is important but others have figured it out, surely you can too. Good that you're thinking about it, but it's been seven years that people have been asking for this feature. As you say, people want it. Will you deliver?

photo
1

Enable/Disable feature for ftp users would be very simple solution

photo
1

I too would love to see this option. Perhaps anyone going to the cPanel Conference can ask when this might be coming?

photo
3

As has been said MANY times before, in one way or another:


"I cant believe, and am still waiting and wondering why, this is not a key feature already?"

photo
3

+1


"I cant believe, and am still waiting and wondering why, this is not a key feature already?"

photo
1

i cant open this link http://forums.cpanel.net/f145/multiple-cpanel-logins-cpanel-subusers-case-44353-a-77145.html .

Can u help me ? Because i need it now. thanks

photo
2

Greetings confy, the old Feature Requests forum area has now been deprecated. That old thread is of no use any longer, it was located in the old Feature Requests forum. The most up to date details on this Feature, are right here.


Thanks!

photo
2

This would be an incredibly useful feature of cPanel and shouldn't be too hard to implement really.


Please consider it as a priority in future releases.

photo
1

Does anyone have any suggestions about how to achieve this ? I've actually been thinking about how this could be done myself and haven't come up with a viable solution yet.


Would they use system usernames with the main username as a prefix ? or would they store usernames and passwords in a MySQL database ? If they use a custom mysql interface all the existing securty measures would need to be converted etc.


PHPMyAdmin access is now quite easy to achieve from a custom interface using the API but what about all the other options… everything is currently based on if the user has access or not to do things.


I too have customers who rearly want this, but I have to admit that it's going to take quite alot of thinking to implement :)

photo
1

If you decide to make this happen,


please make it in a smart and efficient way, allowing all subusers to have a subset of the account's allowed feature list, so the default cPanel user, can manage subusers and make a subfeature list, which will be able to include a subset of his own / allowed feature list...


thanks !

photo
1

monarobase wrote:

Does anyone have any suggestions about how to achieve this ? I've actually been thinking about how this could be done myself and haven't come up with a viable solution yet.


Would they use system usernames with the main username as a prefix ? or would they store usernames and passwords in a MySQL database ? If they use a custom mysql interface all the existing securty measures would need to be converted etc.


PHPMyAdmin access is now quite easy to achieve from a custom interface using the API but what about all the other options… everything is currently based on if the user has access or not to do things.


I too have customers who rearly want this, but I have to admit that it's going to take quite alot of thinking to implement :)

this could be done if you would code a sophisticated auto-login wrapper system and make it redirect to different template that restricts in template level the features allowed, but still, thats not a secure or pro solution, only cPanel could make this happen properly

photo
1

Chris Nagios wrote:

this could be done if you would code a sophisticated auto-login wrapper system and make it redirect to different template that restricts in template level the features allowed, but still, thats not a secure or pro solution, only cPanel could make this happen properly

This is exactly what the third-party tool RVSkin does to create sub-users.


It's an ok solution; we use it, but with all the engineering going on with the new Paper Lantern interface framework it is VERY disappointing there has been no discussion from CPanel whatsoever about sub-user architecture being baked in to it directly - for a more robust/secure solution.

photo
4

7 years waiting for this feature - at this point, coupled with the fact that the most common response from cPanel that we get is to point us to this feature request, I can only believe this feature is never going to come to light. The need for this feature has passed the point of being a contemplated option. This "IS" a feature that is absolutely necessary to accommodate today's website development needs. I've used cPanel since Nick developed it and because this feature is still not available I actually have no choice but to move away from cPanel. I absolutely never thought this day would come. Because it has come to this, and knowing the huge task in front of us in order to convert to a new system, and as I let the proverbial cPanel door hit me in the back as I leave, I just feel it necessary to post my disappointment in cPanel for not taking this feature request seriously and making it available.


Businesses worldwide hire website developers to build their sites, through CMS's clients are able to completely manage their content without needing any html or programming knowledge at all. With CMS's we have the ability to provide separate logins and control what users can access. This prevents mistakes being made which can corrupt a website, curbs the temptation for curiosity clickers, and so on. Numerous scripts are available to us, which enables us to lock down and tighten the security of our CMS installs. At a click of a button, "all" CMS installs can be updated to their latest releases instantly without having to log into each website separately, or we have the option to make a global setting to immediately update all installs automatically without any user interaction.


The "only" missing tool that we are unable to give our clients is the ability to manage their email accounts - add/delete email addresses, forwarders, auto responders, spam settings, email passwords, etc. for their employees. In order to give them this ability we have to give them full access to the control panel for their hosting account:


- this in turn not only gives them full access to mysql databases which powers their websites, but to everything else they simply do not need access to

- it gives them access to change their control panel passwords, which then forces us to have to change that password every time we need to access their control panels for maintenance and then send the new password to the client, its either that or enable Root access level to cpanel access, both of which are not options due to security.


We tried giving this access to clients and it turned into a complete nightmare ranging from deleted databases, deleted cpanel files, deleted ssl certs, edited dns, just to name a few. Yes we have multiple account packages created, but we would literally have to create numerous packages in order to disable/remove as many features as we can, and to still accommodate all the clients that design/manage their own sites, resellers that have their own clients, etc. However, the bottom line is, we would still have to allow access to sensitive features that are needed for the account, such as, and most importantly, mysql databases, account passwords, thus making it pointless in creating all those unnecessary packages in the first place.


The last response from cPanel "We certainly think about this a lot. Ensuring the security of the system makes it a bit of a challenge...but we definitely understand that it's something people want." and as another cPanel user pointed out "No question security is important but others have figured it out, surely you can too." …because others have done it, not only in other control panel systems, but even in CMS's that we've been using for many years without any security issues at all, I can only believe at this point that it is out of laziness, and lack of willingness to prioritize this much needed, and long over due feature, as being why cPanel has not made it available.


So that's my 2 cents worth. And before some of you want to jump to crucify me in defense of the cPanel developers, please bear in mind that I have been a loyal user of cPanel since near its conception and it is only due to wanting to keep my client base rather than lose them to a competitor that offers what most will consider such a minute feature, that has brought me to the decision of moving on. Do I believe that other control panels are better?...other than having this one feature…I absolutely do not and actually dread sacrificing features that are only important to us in order to afford this one, but obviously very important feature to our clients.

photo
2

Yes, with granular rights please.

photo
3

cPanelAdamF wrote:

We certainly think about this a lot. Ensuring the security of the system makes it a bit of a challenge...but we definitely understand that it's something people want.
It's been wanted for years and all I've ever seen is we'll consider it - if its not going to happen then it would be good if someone would state this rather than the usual generic reply.


The problem is that a lot of web developers I've found want access to cpanel but sometimes I feel a bit risky doing this - I had a web developer that started adding unwanted code into stuff once with access to cpanel they could do more damage.


The ability for not just user accounts but user accounts with different cpanel access alongside a main master account would fix this. It's something pretty simple.


If security is an issue you could add ways to authenticate people e.g. two step authentication.

photo
2

Paldrion wrote:

Yes, with granular rights please.
+1

In 2D, by scope of:

  • Delegation = admin / group(s) / self
  • Operation breadth and depth = All / module(s) / function(s)

The regular RACI stuff!

Can make for complications, but it is not without precedent.

photo
3

Sadly I had this feature on another hosting company and it was great to use. I believe its a greater security risk to be forced into giving out our main user and pw to subs then it is to add the feature on.

photo
2

I can't believe this isn't a feature yet.

Simple solution dissociate the cpanel login from the actual user Ex a user test on the server can be login by serveral users ex toto@test.com and restrict the acess to the interface only

the usergroup thing seems complicated could be better.

Could also create other problems / complications

photo
4

This is definitely a feature I would love to see.


1. Users may want to delegate limited access to their account. For example allowing someone to only manage email accounts or security settings. Right now our customers are sharing their main account, and then the person they shared it with decided they weren't friends any more and breaks everything (thank god for backups).


2. Giving my support operators full access to WHM seems over the top (not that I don't trust them, but the chance that something breaks is pretty big), it would be great if users could create a support sub-account (or have one automatically generated) for my operators to use.

photo
5

Please add the feature that so many people keep asking for, It's a shame that this has not been done yet, Don't estimate the total by simply looking at the number of people that have voted. They are way more. And it is going to help every single cpanel administrator

photo
4

As a CPanel sysadmin this is a glaring omission to an otherwise very well-rounded product. Being able to grant partial account access to users who only need to manage databases or email, for example, is increasingly going from a nice-to-have feature to an absolute must-have.


Hope to see this incorporated soon!

photo
3

Agreed. There's a lot of work arounds, like plugins for managing cPanel email accounts from a WordPress site, but what a house of cards.


If I tell my hosted clients that they can create new cPanel users & pick & choose what they have access to, that would make sense. Both WHM and Softaculo already have packages that can be assigned to cPanel users. If the primary cPanel could create users on the same domain and then pick & choose which icons are available, my world would be greatly simplified.

photo
2

I would agree more with options to split service between multiple accounts, for instance, having an account just for email services, another just for website etc.


This way we could even run email and websites on different serves, fulfilling both the need to delegate specific tasks and at the same time allowing is to increase redundancy and optimize servers.


It could also be a master login able to centralize everything from multiple machines, but that's more complex.

photo
2

I'm not cPanel user primarily because of lack of this feature. Many hosters use cPanel and I won't choose them in favor of small number of ones who provide multiple admin/manager accounts.

photo
3

"Any update on when this is likely to be accepted ? The original thread in the forums had huge support over a period of six years so what more is needed to get this accepted ?"


A quote that we left well over a year ago ! So, eight years and counting and in the last two years one small reply from a cPanel employee saying they are thinking about it.


CPanel ask for people to make suggestions and of course they cannot do all of them immediately but some feedback every now and again would be useful - the lack of feedback gives the appearance they dont care at all and stops people making suggestions

photo
2

"Any update on when this is likely to be accepted ? The original thread in the forums had huge support over a period of six years so what more is needed to get this accepted ?"


A quote that we left well over a year ago ! So, eight years and counting and in the last two years one small reply from a cPanel employee saying they are thinking about it.


CPanel ask for people to make suggestions and of course they cannot do all of them immediately but some feedback every now and again would be useful - the lack of feedback gives the appearance they dont care at all and stops people making suggestions

photo
2

This would be an amazing feature.


Sometimes I need to hire a freelance web developer to do certain things I can not do but I don't want to give them full access to my PHP framework.


I am able to limit their FTP access to the files, but they need to be able to access the database as well.


It would be great if I could add another user to the cPanel account, and then give them access to phpMyAdmin along with their FTP account.

photo
1

Double post.


Don't think this site likes Safari. It didn't clear my comment box, and my post didn't display on the page.

photo
2

Granular control over user access is an essential security requirement. It should be possible to select exactly which functions each user is able to control.

photo
2

This is absolutely essential. Along with this, we need detailed logs on which user performed operations.

photo
2

Clearly no one from cpanel is listening. This thread has been running for years and there hasn't been a move to address the issue.

photo
2

Lol. I find this a bit odd too. Why would the premier management console neglect to acknowledge theeee most obvious missing feature of all time? Is there something they are not sharing about their struct that makes this too difficult to accomplish? Is there something about CSRF tokens (that already exist for 1 user) that wouldn't work for sub-users too?

photo
2

+1 for this but... 2 years and still open for discussion? Hmmm... *lost hopes*

photo
1

I think it's actually been more like seven years with no action!!

photo
1

I think it's actually been more like seven years with no action!!

photo
2

Certainly as long as I've been using cPanel -- and that was about 2008 or 2009, I've been wishing for this feature; I don't really get it -- granular is a commonly supported thing, there are no computer science mysteries for how to get such a thing done, and while it may be architectually inconvenient, surely if you put it on the road map, at some point you will be able to evolve the product to the point where it's doable.


cPanel team, I don't ask for much, and I love so much about the product (I've had to support Plesk too; believe me, I'm generally very happy with the product, and commonly can be found singing the praises of the product!), but if you could give us some feedback on this one point, it would be lovely.


Thanks,

-Cedric

photo
3

As of late, I really would like to give out granular access to sub accounts, so they do not control my entire cpanel account and all of my domains.


We would love this feature to be at least commented on so we know we are being heard :) Its gotten over 200 votes! Come on cpanel...

photo
1

Hear that? It's the sound of crickets? That's all we're going to hear. C-Panel is clearly not interested in its customers concerns.

photo
3

First of all, it is called cPanel, not C-Panel. This also isn't the

place to

complain. This is the place to leave productive comments, and ideas for

this particular feature request. I'm pretty sure nobody will listen to

you if you don't know what to call the product you are bitching about,

however.

photo
1

People have been leaving productive comments here about a much needed feature for years. There has been no response from "cPanel." The complaints have only come in response to their silence. I'd be happy to hear from someone at the company who can speak to the status of this request.

photo
1

You and some other talk about these options like they are SUPER easy to add and develop ... if you think that then just develop new control panel in 1 week with all options you wish ...

photo
1

You and some other talk about these options like they are SUPER easy to add and develop ... if you think that then just develop new control panel in 1 week with all options you wish ...

photo
1

Who said anything about producing this feature in one week? People on this forum have been asking for a multiuser capability for at least seven years. This discussion group is supposed to be the place where users put forward ideas they'd like to see implemented. They've done so and they been met with silence. cPanel should just close down the forum if they're not serious listening to customers' interests.

photo
1

This is not the place to air your concerns regarding how cPanel maintains this system. It's taking it completely off-topic.

If you need to air a grievance regarding cPanel's response (or lack of!), try the forums. They're great for sparking user debate!

cPanel will deal with this as and when humanly possible. This request was opened 2 years ago and has had a cPanel response in the past. Head over to the forums and give them a nudge if you feel another response is due.

Have a good day everybody.

Peter.

photo
1

@Mr. Obby you seem to be taking a single issue here and assuming it's representative of the entire system. Plenty of feature requests here have been completed; I've watched them. This just isn't one of those requests. It's frankly embarrassing that such an obvious feature has been requested and un-acknowledged for so many years, but they are working on other things. I do think that this is a core feature set and should be a top priority over their Paper Lantern changes and EasyApache updates and all the other cool things they've been working on lately, but I wouldn't go as far as to say that they ignore this forum or should shut it down.

photo
1

@DanH42 It is quite representative, in my experience.


I subscribe to a number of 100+ requests and none have really gotten any traction or comment by cPanel. Of the feature requests which have gotten traction, they often have very few votes (read: single digits) - showing an internal process for deciding the merit of release features that has very little to do with any feedback on this site.


While the lack of attention for subuser support is baffling - it's no more so than distributing a version of Munin in WHM that is increasingly broken and was rendered obsolete in 2012 - and the feature request to touch that sleeping critter has deeper layers of dust than this one.


It's just the way they roll. :P

photo
photo
4

I'm sorry to leave my own "spam" reply, but good grief, I'm now getting spammed by replies to this topic.


cPanel obviously doesn't listen. We still use them because they're the only reasonable solution. So congrats on that, cPanel.


Meanwhile, thanks to the rest of you for spamming this topic with all this jabber. And yes, I realize the hypocritical nature of my own reply here. But I'm hoping that it'll quell future replies. I won't know because I'm unsubscribing from this feature request.


The other reason for this reply is just to express my irritation at cPanel for being so terrible at communication. That's 20th century thinking, at best. Features - at least things we customers see - come so slowly. The new theme is great - but why does it still take multiple page loads to get anything done? I should be able to add/remove things like mailboxes and forwarders on a single page without a stupid page load for "Are you sure?" and "Okay, I did it" and then clicking back to go to the list of things.


cPanel is amazing in many ways. And amazingly clunky in so many other ways.


Anyway, sorry again to spam up this thing with another reply like I'm complaining about, but I accept my hypocritical role - and apologize for it. Peace out. :)

photo
3

There's no update on a feature like this?


I'm actually surprised this wasn't built out long ago. It'd be such an essential feature for designers and developers working in teams. :)


Please implement this feature cPanel! Love what you guys are doing here.

photo
2

I think this would be fantastic.


Please implement it! :D

photo
1

I think this would be fantastic.


Please implement it! :D

photo
2

I think this would be fantastic.


Please implement it! :D

photo
3

Please implement.

photo
3

Please implement.

photo
2

This idea was shared more than two years ago.


Can we really expect this to be implemented?


I would love to have this feutured...

photo
2

This idea is great, especially for those who use XMLAPI

We can use a new user without losing the security we need

photo
2

As much as this would be useful, I have to play devils advocate for a moment. We need to remember that cPanel is only a management tool for linux servers; it works within the confines of how linux itself works. When you create a cPanel account, you are creating a linux user, who generally owns all of the files and data associated with said account.


There are not only logistical issues raised by that fact, but security ones as well. The actual files on the system which contain your email (for example) are owned by the same system user ID that owns your website files. If you give someone the ability to make only FTP accounts, or to access the document root to edit the website, they could pretty easily access your email among other things. Granting even limited permissions to a user could very easily result in them just working around that into areas you do not intend them to have access, simply because their actions could create, access, or modify files owned by the primary cPanel/linux system user.


Even if this were done by making multiple API users or something of that effect for a cPanel account, it doesn't take much access to API calls over an account to gain yourself access to the rest of the account. I cannot speak on cPanel's behalf, but this is what goes through my mind every time someone comments on this request. I can see the value in this idea, however, I cannot really think of any easy way to implement it functionally or securely without a serious overhaul of how cPanel handles permissions and ownership of files and directories on the operating system itself.

photo
1

Quizknows, if that's the problem, why doesn't cPanel just say so? Then we can all find another system to use. Why the silence?

photo
1

Plesk gives us this functionality on linux

photo
1

Plesk works fundamentally differently than cPanel does, especially from a file ownership perspective.

photo
1

Yes. I know but not much differently. Also Plesk offers such features which we are requesting to cpanel from long time like nginx support, dropbox backup support are major things

photo
1

Yes. I know but not much differently. Also Plesk offers such features which we are requesting to cpanel from long time like nginx support, dropbox backup support are major things

photo
2

Last time I checked (quite a few years ago) Plesk stored all passwords in plain text in their database. I'm not sure we want to follow their security model.


Plesk also stores e-mails outside user accounts which makes it easier to provide such functionality while making it not as good as cPanel in some ways too.


From our point of view it's not just a matter of limiting cPanel's interface, a website only user mustn't be able to access the mail directory.

photo
photo
1

We are looking into solving this by having a seperate server for e-mails. This way our customers can give access to the website management without allowing their webmaster access to their e-mails, or a webmaster can give access to his customers to manage their e-mail addresses without them being able to access the hosting.


If I were cPanel I think I would solve this by creating two cPanel users, if they were to allow the creation of a website only account and an e-mail only account on the same serveur it would solve the problem.


Admin user has a WHM accoun that can access both e-mail and website account. We will soon have this working by using seperate servers, the only issue that will remain is allowing an admin user access to both accounts as they will be on different serveurs. We plan to leverage cPanel's API to achieve this.

photo
3

As a general observation, I don't think anyone here is saying they consider this to be an overly simple or straightforward item to implement. It is simply that not having it somewhere on the roadmap is frustrating. For instance I just don't see how you can have serious conversations about OpenID logins, pluggable auth, two factor authentication, per-user customized PHP configurations while at the same time we have no supported method for deploying access control lists for what multiple users can do within an account space. Cpanel; We're seriously glad you are adding in-dash turn assist to this car, but... we desperately could use door locks. After all, OS user-permission abstraction isn't completely impossible - or resellers wouldn't exist.


Btw, @Monarobase, thats an inventive solution! And excellent points about the security ramifications as well. :D

photo
2

Glad to see this is In Progress now!

photo
1

Will multiple logins be one of the features you'll be testing?

photo
1

Some fantastic information today at the CPanel blog - anyone who is interested in this feature request should probably take a look:


User Manager and Unified Logins

http://blog.cpanel.com/user-manager-v54/

photo
1

Check out this blog post https://blog.cpanel.com/its-time-to-say-goodbye-to-x3/

New features will be paperlantern only starting with cPanel 54.

Because of issues with tranlations being different (making it diffiuclt to support customers not knowing what theme they had) and because of new features not being planned in x3 as well as x3 being removed in cPanel 58, we made the move last week to enforce paperlantern. We first switched all x3 users to paperlantern then disabled theme switching.


We havn't had any complaints so far and have had a few customers who hadn't noticed it say how nice it looks. We will be making a custom theme when paperlantern gets to the stage where it doesn't evolve so much.

photo
2

This feature is mainly required for giving the control panel to web developers. They need only access to ftp, filemanager, database and phpmyadmin. The owner dont want to give full access to developers. Currently sub account for ftp is available. This login should be extended to cpanel with access to atleast filemanager, database and phpmyadmin.

photo
1

That is correct. I may want my designer to have access to the file manager but not to the databases or email accounts. I bet this feature should have some UI similar to the one used for the Features Manager for Hosting Packages that you can see at WHM level.

photo
photo
1

I agree, I don't know why access to databases was not one of the options. We can manyally give a developper access to an ftp account, but not access to PHPMyAdmin without giving them access to the e-mail accounts.

photo
1

Multiple Cpanel Logins is needed to manage multiple development teams who need access to the Cpanel.

photo
1

I don't understand why an account admin can't be allowed to grant others access to cPanel with separate credentials and modified roles. It seems like this should be easy to implement. In the main cPanel account, have a user roles page. Create users with passwords of their own then grant them access much like the database priviledges. Be able to turn FTP, SQL, Email, Spam, Files, etc. on and off with a yes/no toggle button. This would allow business owners to have employees manage certain areas of their domain without creating security risks. When this topic first came out, I assumed this was what they were going to develop. What is in place now does not do anything beneficial for my clients.

photo
1

I can see a new .subbaccounts folder in the root directory of each cpanel user. Do this has something to do with this feature ?

photo
1

I develop and host websites. Recently one client asked to have access to cPanel. Then he decided to "taste" things and deleted an FTP account but also checking 'delete home folder' option. The whole site was destroyed in a click...


Really good to know I will be able to let my clients admin their e-mail accounts but not have access to more technical features.

photo
1

I know there are many use cases, but the one in my face right now is that I wish to be able to offer site owners access via cPanel to backup functionality (create and download), and nothing else. The reason for this is that there have been a few recent examples where web/hosting companies have shut down, leaving their clients without ftp access to their sites, or backups. So even if clients don't have ftp access, it would be reassuring for them to know that they can, at a minimum, create and access a full on-demand backup of their site.

photo
1

What is the ETA of this, its needed, a permissioning system is essential. This is especially true for client access, we have managed WordPress installs and ideally we want to give only specific access to clients for what they only need access to, but not root access like what the top level account creator would have. Please add this A.S.A.P it is a much needed feature.

photo
1

Hello cPanel-ers! As I understood it, this was possibly in the pipes for the v. 58 release - since dev is now winding down, did this feature make the cut? :D

photo
3

As no cPanel dev/community members ever weighed in with progress notes respective to 58 (sad face), I wanted to post a recent update from their blog for any folks here who may not be an active follower of cPanel's other communication outlets.

The 'Subusers' feature is now slated for items cPanel "hope to include this year". I would like to note that the 'Subusers' feature is also listed distinct from the elements they are touting for version 60 - so that would seem to suggest a chance it may be in release 62 or even later. But progress is being made!

More information is available at: https://blog.cpanel.com/development-update-cpanel-whm-version-58-is-coming-and-starting-version-60/

photo
2

Thank you John for sharing this update, and thanks to you and Scott for pointing out to me that we'd missed updating you all!

photo
photo
1

Hello, am I correct in understanding that existing functionality in cPanel 56 doesn't allow any of the initial request ?


I presumed before I tested it that I would create a user allowed to manage e-mail accounts. I created a new user for a customer to do this and all it seems to have done is create an e-mail account and hasn't created a subuser that can manage e-mail accounts.


I presume if I give this user FTP access it will just create a FTP user with the same login and the same with Web Disk.


Can you please confirm that cPanel has understood that the request here is to create users than can create and manage e-mail accounts, ftp accounts, mysql databases etc ? And isn't just a way of having the same password accross a single e-mail, ftp and webdisk account ?


I understand the initial version isn't complete, but I did think that the e-mail part of the request had been completed and it sadly doesn't seem to be the case yet.

photo
1

When will "v62" be released, when do you estimate?

photo
1

We're currently aiming for 3-4 month build cycles, We don't have an estimated time of completion for 62 yet, but we're aiming at 60 in 2-3 months. That would put 62 toward the end of 2016, or early 2017.

photo
1

Just had a client request this feature from us in a ticket - thanks for the recent update Benny was able to refer the client here :)

photo
photo
2

Hey everyone! Breaking radio silence here for a moment to let you know that this has been pushed off to version 64. The team that was working on this with cPanelChipW has been working on internal improvements and hasn't been able to get back to this yet. They are just as excited to be done with the internal work and get back to this as you are, and as soon as they can I'll make sure everyone know!

photo
4

The team that was working on this was not able to get to it in version 64, and won't be able to work on this for version 66 either. It seems like the earliest we will see this feature released is in version 68, which would be released around the end of September or beginning of October. It's still on the list of things we want to be able to do this year! I'll be back if anything changes, or if we're able to get to it any sooner!

photo
1

Hey all. I regret to have to bring bad news! We have had to shelve this request for now. It's still something we very much want to do, but other things have taken a priority over this. If you have questions or would like to provide further insight, feel free to send me an email!

photo
8

Hey all! I have a flurry of questions about this feature request so I wanted to let you know: It's still on our list of 'features we want to get to', but it's not yet assigned a version. As soon as we have anything solid, I'll be back to let you know!

photo
1

I don't know if this has already been said but it seems to me that a temporary quick fix to this issue (which is fairly fundamental and I can't believe it's not already happened) would be to simply limit the front end display, hiding and showing icons based on user privileges. I know this might not be ideal and more technically minded users might bypass that but most people won't. It would be enough as a starting point in my opinion anyway.

photo
2

I see two different needs for access: web developer giving access to users so they can configure email and check statistics without breaking anything; and accounts with additional domains that want to give admin access to those users. It could get complicated!

I think it's essential to decide who gets a "check email" button and who doesn't. In my view, not even the account owner should get this button, which essentially says "let's spy on my users email!". I know cPanel doesn't want to give a false sense of security, and there are means to access emails, but this is almost enticing people to (potentially) break the law.

photo
1

Me too. I have the same requirements from customers from time to time. Having a restricted access for the developer, and other for the IT guys configuring email accounts in their desktops, would be a great thing.


This feature should be implemented using similar permissions to what current Feature Manager allows you to allow or not from WHM. Only thing this should be an autocontained Feature Manager within the cPanel account. So, you would create a sub-user and then assign it the access levels you want. Afterwards you are able to delete this sub-user in the same way you can delete an FTP account, BUT without deleting the items that user created, so cPanel won't accidentally break things.

Also, if such a feature exists, there should be a log showing when did anyone logged-in and what UI screens accessed. Cause if you have a staff of people working in, you need to know who did the mess when the mess arises :-)

Hope you can make this true this year ;-)

photo
1

I disagree a bit on the removal of the "check email" button. While the potential for abuse exists, we have found it vital in several cases where non-technical customers were unable to configure roundcube/horde themselves for something they wanted to do and with their permission we would login as them to add an email filter/forward, etc on their behalf.

Further at least in the US, a work email address is not considered "private" and an employer can access an employee's email account without notice and/or court order provided it is for a legitimate business purpose.

As such for both of these reasons, the functionality is critical, even though like you mentioned, it is possible for someone to use it illegally (monitor a coworker/employee's email for personal reasons). Internal corporate policy is really the only way to ensure that it is not abused, as from a technical standpoint it is a needed feature.

With that out of the way, in the scope of the multiple cPanel login feature request, because of the sensitive nature of the "Check Email" function, there SHOULD be a way to control which additional users have access to use the feature.

photo
photo
2

I would like this feature so much for my clients.

Some of them need (restricted) access, let's say to manage mail accounts but restrict them to make new ftp users or to mess with settings that can screw up their website.

photo
1

The code is already dealing with feature access through the WHM Feature List.

All we need is for account owners to create users and assign the available features in the accounts to sub users.

photo
2

There is much more to it than that. cPanel uses linux PAM for authentication and then secures access using regular old school file system permissions. So cPanel would need to build a layer of abstraction on top of this where "sub users" would impersonate the primary user's account but with limited UI functionality. Once one of these "sub users" are given access to the file manager they would be able to bypass several different UI restrictions if they so wish.


Even if they did just graft this kind of an abstraction on top of the current system it would be a substantial amount of work. Otherwise they would need to completely redesign how cPanel user accounts work.

photo
2

I don't think is that complicated Anthony. Every sub-user may work as an "alias" so the real linux user is still used, only that when you login to cPanel using one of them, it just apply the "filters" specified in the feature manager for that sub-account. Am I so wrong? :-)

photo
4

We're getting pretty deep into potential implementation details that aren't really relevant here. The reality is that the feature isn't easy to accomplish and that anything we implement will need to be rigorously tested by our security team. If you have more use-cases to add, please feel free, but let's move away from a discussion of implementation tactics.

photo
3

Right, Yet, as this request is 6 years old, I understand people trying to drop into implementation.

Logically the scheme should be the same as WHM Feature List, yet they should be sub users to the main user.

They act as the "account user" for the server. But the interface is handled by the user:subuser configuration.

That would be a good start to handle customers that have NO idea how to handle DNS and subdomaines, but that needs to be available to developers inside the company.


Create users in the accounts + Each user has a feature list with checkboxes.

photo
photo
1

If a reseller has a customer with multiple cPanel accounts, the customer must logoff and login to a new cPanel account to change the management of other domain.


Will be a very interesting option (like Plesk suscriptions) to allow a single cPanel user to change from a account to other without to logout. Very interested if the user, can see a full list of their cPanel accounts, and change the management interfaxe with only one click.

photo
4

Bumping this - 6 years ago this was a problem - and it still is in 2019 - how do we control access to cPanel for a developer without giving away full access to every part of the cPanel?

photo
4

Sometimes, we even may want to protect the account against the client himself. Give him a user with limited access for his regular updates on email accounts, give a higher level to a dev/admin, etc.

It feels like 1999 without this level of user granularity.

photo
3

My scenario: I create websites but I don't give the client access to source code, in exchange for exclusive maintenance and much lower prices (selling a solution for them and not selling the full application, if you understand me). But I want to give the customer access to cPanel to manage the emails. He would have to access to the emails accounts, auto-replies, filters, etc, without being able to see anything about the site files, database, etc.

photo
2

There's also the very serious issue of continuity of information and access.

Without a user system of some description, an untimely bus can remove the person who knows the full access usernames and passwords. This is hopefully of less importance in a larger business (in that they may be able to keep the credentials copied somewhere secure), but small business, non-profit, individual, it's a more of a problem. I actually need to be able to have someone else have the keys to the kingdom if something happens to me.


As a side note, not being able to disable the root user from the wider internet is terrible! We need to be able to have another user name that has sudo root access. So that every script kiddie and robot trying to break into servers has at least a harder time of it. Root could then be locked down to only accessible from a certain IP address. However, IP addresses are a problem, because they can change at the whim of the service provider...

photo
2

The ability to allow a separate user to manage the emails and forwarders, without full access to file manager or other areas seems to be the most common use case.

photo
photo
2

Hopefully this functionality will be available for the next LTS.

photo
2

I have upvoted this idea already, but for what it's worth, I have to comment again about this being a SERIOUS shortcoming in cPanel. I bump up against this on a weekly basis. Having only ONE PERSON able to administer the account is utterly insane. (One person when 2fa is being used, as it always should be). As it is, I have to remove 2FA if I'm on holiday so someone else can administer if they need, Again, insane. I'm aware that this is a fundamental issue in cPanel, in that it's tied to user accounts. But this CANNOT be that hard to solve. To be able to create admin user accounts that don't have all the cruft of web servers etc attached. Because who wants that attack surface. Even if you just started with being able to create a user account that can be given FULL access (maybe without being able to take over the account entirely) then work backwards from there. Adding in the reduced permissions.

photo
1

I just created an account to add an additional voice on this feature request. It would be great to have sub-users as an available option on cPanel accounts. I would appreciate the ability to issue login credentials for my cPanel clients own contractors and to be able to revoke access if their contractors move on or are replaced. Another benefit of this is it allows the sub-user to set their own preferred password rather than group-sharing [passwords] or transmitting a password over a potentially insecure method, such as email.

Thanks for considering this.

photo
1

I was sleepy when I wrote the above comment so to be clear: It would be great to have sub-users [ADMINS] as an available option on cPanel accounts.

Thanks again.

photo
photo
1

I wanted to show my discomfort about the non-inclusion of multi-users with different access type permissions (DNS, email, MySQL, etc.) in cPanel. I think it is basic that a provider, for example a (webmaster) with access to manage FTP, MySQL, etc. has default permission to read the emails of a company manager. It does not make sense.

It is necessary and urgent that cPanel implements this feature.

photo
1

Wow, I can't believe this is still being debated. This situation scares the hell out of me. For the first time I have a web dev asking me for a CPanel user/pass. Are you kidding??? We have out entire set of databases and websites on this server and I don't want to hand that to anyone!

photo
1

How is it even possible that cPanel allows access to emails including reading and sending them by anyone that has access to cPanel admin. WTF... seriously naffed off, and have 5 accounts we are having to move now. cPanel there is NO credible reason to withhold separating email access and admin access to cPanel, there are too many companies big and small that do not use inhouse webdevelopers that have to give them access to cPanel, and consequently give the developer full access to emails. Im not even going to explain how sensitive emails can be corporate wise - you should know. Not Impressed at all.

photo
2

Another reason this is necessary is because two-factor authentication can only be setup for 1 device. So 2FA is unusable if multiple people need access to the cpanel account for any reason.

photo
2

Is this still a consideration for a future release (or has it been implemented yet)? This would be a great feature to have since I have some capable people that can help with some of the backend tasks on a cPanel site, but i don't want to give anyone MY cPanel login for security and access control reasons.

Please keep this in mind, we could really use this!!!

photo
2

Absolutely need the ability to add users with specific access to an account. I have many developers working for our company and I am now stuck giving them total control if they need basic tools to develop. Please add the multi-user feature ASAP. Thanks

photo
2

ssh allows for this facility. I think it's essential that WHM also allows for this.

photo
1

Sadly we had to turn webmail off for one client, They do not want the secretary being able to access the CEO's emails. Also it was a privacy thing with HR as well.

This company now wants me to investigate other control panels so they can re-enable web mail.

photo
1

You can access webmail from domainname.com/webmail using the email address and the password set for it without going through or knowing the cPanel login. This shouldn't be a privacy thing - just don't globally give out the cPanel login.

photo
1

This problem only occurs when one person of that company has the *CPANEL* account password.

A simple email-user *cannot* access others email if they are only an email account user.

But it's true that it is a problem that the CPANEL account can access all email content :-( This is bad for privacy and GRPD compliance as in my country (FR) email, even a professional email from an employee, is considered private, and can only be accessed by the employer in very specific circumstances stipulated by law.

So giving CPANEL account access to someone else as to yourself (retailer) is a bad idea until CPANEL one day gives a possibility to the root admin (in WHM) to make it *impossible* to the CPANEL user to go into the emails of an email users of his domain (he must then also not have SSH, SFTP access so he can not go read them at low level on the server....). Maybe this will be possible in the new "email-only" CPANEL version ?


In our practice, we give no CPANEL account to the email clients. We create the email accounts for them and communicate the login data directly to the email users. Clients do understand this as this is law.

In the case the client want to create himself the emails etc, we do him sign in the contract that he has to inform his employees that he *can* have access to their mail, even if they change their password ! It must me mentioned in the work-contracts, or in the internal regulations of the company, or announced during meetings with union representatives.

Another solution is to program / develop a separate interface and interact with the CPANEL API, and install a roundcube in a separate domain (roundcube can be configured to use any IMAP account) and manage yourself the auth to that interface. So you can give an access to someone of the company to be able to create / delete / reset emails for others (but without seeing the password), and without having access to the CPANEL interface itself, but it is dev work.

photo
photo
2

Yes but if the secretary has cpanel access to manage something simple like reports, and mail is active in features, then the secretary can see all mail and discover that the CEO knows he/she is stealing in the petty cash.

photo
1

If she knows what she is doing she can also go into the file manager and download the mail directory and view the emails that way too.

Until subusers are implemented you can’t give access to cPanel to someone you don’t trust with everything on that cPanel account.

photo
photo
4

7 years since the original request  

And still no development in this direction. 

photo
1

At least with turning Webmail off it gives the appearance of security. They do not have onsite IT, and they want access to their CPanel as the secretary is the one who creates and deletes email address's.

photo
1

So you would need to allow her to create and delete emails but not allow her to read emails ?

Would she be able to change email passwords ?

This is interesting to know in my opinion, as you would normally expect someone who can create and delete accounts to also have read access to those accounts.

photo
2

Currently the secretary Creates and deletes the email accounts. Yes she can change the passwords as required. Basically we do not want "temptation" staring her right in the face being able to click one button and see anyone else's emails. Am currently seeing if I can edit the theme to remove that button myself.

photo
2

I can see how this is actually a significant difference. With full cPanel, someone can read emails WITHOUT the password on the account changing, meaning there is virtually no trace of malicious behavior.

On the other hand, if someone was "forced" to gain access to someones email account by doing a password reset, there would at least be some indication of potential suspicious behavior because after the password reset, the rightful owner would suddenly not have a working password.

photo
1

I don't think sub-users would solve this particular issue, as the granularity of security is unlikely to go beyond "can manage email account" or not.

photo
1

If the password has not been changed within the security timeframe (eg 122 days), she would be prompted with a change password screen and be unable to login without changing the password first.

photo
photo
3

It is possible to get this done no later of the release of stable version of whmcs 8, where there is multi user + 2FA ? In this way we can finally announce there is multiuser/2FA for whmcs and cPanel, the whole ecosystem.

photo
7

Is anyone else astounded by this response?? This thread alone was started 7 years ago and for something as basic as login/user access, I’m shocked that this is cPanel’s position!

photo
3

Yes, and it is unfortunately why we migrated away from cPanel. We needed something more secure which a company can use.

photo
3

I'm astounded too. cPanel is great, but this feature (or lack of) is so insecure that it beggars belief in 2020.

photo
photo
1

Hi

The function that a cPanel administrator can create other users with different permissions according to their activity is very good, and it would only reflect the need to take care and not share such an important credential between several teams that work with cPanel, we look forward to telling us in which version It will be available to be able to test it and order the way of working of the different collaborators without so much risk of giving access to everything, and that it is registered who does and what, we hope this great functionality.

Have a nice week, take care.

Ruben arno


ESPAÑOL

**********

Hola

La función de que un administrador de cPanel pueda crear otros usuarios con diferentes permisos según su actividad es muy buena, y solo reflejaría la necesidad de cuidar y no compartir tan importante credencial entre varios equipos que trabajan con cPanel, esperamos ansiosos nos cuenten en que versión estará disponible para poder probarla y ordenar la forma de trabajo de los distintos colaboradores sin tanto riesgo de dar el acceso a todo, y que quede registrado quien hace y que cosa, esperamos esta gran funcionalidad.

Que tengan linda semana, cuídense.

Ruben Arno

photo
6

Unfortunately cPanel doesn't seem to understand how serious it's in terms of security to have several people having to share the same password and the problem that when one of those people stops working on the project, all the others have to know the new and unique password.

photo
2

it does boggle the mind they can be so oblivious about security in this day and age when 30,000+ websites get hacked every day.

every time I need to give some support agent access to my cpanel, I have to go and turn off 2FA and remember to turn it back on again afterwards.

How many people forget?

photo
2

With all the security issues in 2021 how is there no option for additional administrative users?

photo
photo
3

Adding my voices to this. I have recently returned to web development and I am simply disappointed that I can not create accounts with limited cpanel capacity. This is should be a high priority item. It is huge gap and to see that 7 years after the first request was made this still hasn't been implemented is just difficult to understand.

photo
2

When I click "I like this idea" for this feature, the counter does not +1. How the heck is this not implemented yet? It's 2021 and this feature has been requested for well over a decade now. It seems so trivial to implement too. What is the purpose of all these in the URL if it's not to allow multiple cPanel sessions at the same time? /cpsess5614889940/

I don't understand how to manage a bunch of hosting accounts when I have to spend 90% of my time logging back in accounts. This literally takes the most of my time when on the phone with clients.

photo
2

We have great news!

The full release of the new Manage Team feature is available in cPanel & WHM version 112. This feature allows cPanel account owners to create team user accounts so that multiple people can access, administer, and work on a single cPanel account without the security risk of sharing credentials. Look for more details on our cPanel Community Forums soon!

If you have additional questions, feel free to reach out on one of our social channels.

photo
2

This feature does not seem to be complete.

You currently cannot create a database access without allowing to download and restore a full file backup.

You also cannot create a user that has access to everything required for managing a website except e-mail. You allow web users to download and restore any file they want but they don't have access to the file manager.

Leave a Comment
 
Attach a file