DocsContactLog in
Sign UpOpen

Sharing and Access Control

By default, your machine is only accessible to you. However, Teclada allows you to share your machine with others, which can help with debugging, teaching, etc. Click "Share" on the home page to configure access control.

Host Access Tiers

Viewer

The 'viewer' privilege allows a user to:

  1. See open sessions on a machine
  2. See commands run in those sessions
  3. Observe command input and output

Runner

The 'runner' privilege grants all privileges of 'viewer', but also allows a user to:

  1. Create new sessions
  2. Run commands in an open session
  3. Send input to running commands

Manager

The 'manager' privilege grants a user the right to grant or revoke any privilege on a host, except the 'owner' privilege.

Note that the manager privilege does not automatically grant 'viewer' or 'runner' privileges. A manager can of course grant those privileges to themselves, but this requires a positive (and logged) action.

Owner

The 'owner' privilege grants all privileges of 'manager', plus the ability to add or remove other owners.

Note that the owner privilege does not automatically grant 'viewer' or 'runner' privileges. A manager can of course grant those privileges to themselves, but this requires a positive (and logged) action.

Additional Settings

Machine User

The 'viewer' and 'runner' privileges have an additional "Machine user" field. This can be set to a username or UID. If set, permission is only granted to view sessions or run commands as that specific machine user. If unset (or set to 0), permission is granted to view sessions or run commands as any user.

If multiple machine users are required but "all users" is not acceptable, the viewer or runner permissions can simply be granted multiple times.

If a host is installed as a non-root user, it can only be used for running shells as that user. In that case, the Machine User field will not appear when granting access.

"User can further share this machine"

This checkbox allows a user to delegate their privileges to other users. The user will be able to grant someone else the same privileges or lesser privileges, but never greater privileges.

Some examples:

  • If a user has "Runner" permission with machine user 0, they could grant permissions like:
    • runner with machine user 0
    • runner with machine user ipudney
    • viewer with machine user 0
  • If a user has "Viewer" permission with machine user 0, they could only grant permissions like:
    • viewer with machine user 0
    • viewer with machine user fiala
  • If a user has "Runner" permission with machine user 1000, they could only grant permissions like:
    • viewer with machine user 1000
    • runner with machine user 1000

In industry, this is often called by the extremely confusing name "discretionary access control". (If a user cannot delegate their privilege to other users, this is called "mandatory access control").

The "manager" and "owner" privileges inherently allow granting more privileges, so this check box does not appear when granting those privileges.

One warning: when this check box is checked, users may be able to grant access to others without being able to revoke that access.

Session Access Tiers

We'd like to implement the ability to grant access for a specific session only, but unfortunately we don't have that feature yet.