Network Edition - Template User Permissions Propagate to Controller

OS Name/Version:
TrueNAS Scale/22.02 (controller); Windows 10/21H2 (Target)

Product Name/Version: (Always use the full version number - not ‘Latest’)
AMP/ (licenced as Network Edition)

Problem Description:
I’m having issues with template permissions/roles.
I have a Controller and a Target Instance set up. Both the Controller and Target have been reactivated with my Network Edition licence key.
On the target, I have multiple Game Host Instances.
I created a new template role and assigned permissions as per the documentation here:

I’ve assigned this role to an account, (this is the only role for this account) and now the role has access to all of the selected settings at the ADS Controller level.

I have verified that everything is still greyed out for that role at the Controller level. I can confirm that removing the permissions from the role at the Game Instance removed the access at the Controller level.

Steps to reproduce:

  • Step 1
    Create Template Role

  • Step 2
    Make sure that all settings at Controller level are greyed out.

  • Step 3
    Change settings on the Game Host Instance to enable access.

Actions taken to resolve so far:
I’ve tried different naming conventions for the role.
I’ve tried using the “disable,” setting for permissions at the Controller level. (this disables everything from the controller down to the Game Host Instances, which is the behavior I would expect.)
I’ve tried creating the Template Role at the Target ADS Instance… Same result. Changes to the Template Role at the Game Host Instance propagate back up to the controller.

Can you show me what permissions the role has? Can you also explain in more detail what you’re trying to achieve?

Also if you’re using a 3rd party docker image to run AMP in TrueNAS without a VPS then this isn’t a supported configuration and you should ask the maintainer of the docker image for support.

(Permissions screenshot at the end of the message)

My guild/clan/group has about 40 active members. There are 3-4 of us who have run servers in the past. I’m trying to consolidate, moving all of our servers to two machines that I own, and giving the other server admins the ability to create/manage game servers. (we typically have 3-5 servers running at any given time)

Here’s what I want this role to be able to do:

  • View all instances from the Controller
  • Start/Stop Game Instances
  • Create New Game Instances
  • Update/Download the Game
  • Configure the Game Settings
  • Start/Stop the Game
  • View and execute commands on the Game Console
  • Add/Perform Game Backups
  • Add/Edit Scheduled Tasks on the Game Instance

I do not want them to be able to access the admin commands at the Controller. I do not want them to be able to add/remove users at any level. I do not want them to have file access at the Controller Instance. I don’t want them to be changing any AMP management settings.

Regarding the Docker image, I had originally set this up as a hybrid, running both the Controller and Target on the Windows OS. Had the same problem with that, so I added the Docker Controller, as the hybrid was, “not recommended.” I figured the Hybrid configuration might have been a contributing factor. (sorry for not mentioning that previously)

Here are the settings that I have tagged at the Game Instance level. (at the Controller level, nothing is tagged)

You’ll need a second non-template role to pull this off. Template permissions apply to all instances, and ADS controllers/targets are just AMP instances.

So what you do is create a non-template role that denies access to things like the file manager just for the ADS instance. When a user is a member of two roles, and one role allows something and another denies something - the deny rule takes priority.

This way you can allow access to the file manager for each instance, but not for ADS itself.

So, I have done as you have suggested. I created a Role (non-template) at the Controller which denies access to the things I don’t want the user to have access to at the controller.

I have assigned both this role, and the Instance Admin Role to a user account:

This is working as expected at the Controller level. However, at the Game Instance Level, the user no longer has access. (It’s like the deny permissions from the other role are propagating down to the Game Instance.)

Here are the permissions for the Template User at the Game Instance level:

And here’s what I’m seeing as that user, at the Game Instance Level:

One more thing… I tried editing the User (Controller) Role at the Target Instance level, un-denying the settings made at the Controller level, but that didn’t work either.

Commenting to allow additional info to be added by OP

I have reverted to using the Hybrid Config on my Windows 10 machine. I went through and configured everything the same:

  • Added a Role to deny access to the ADS Instance
  • Added a Template Role to give allow access at the Game Instance (all permissions grayed out at ACS Instance)
  • Created a new user and assigned both roles to them.

The user has the expected permissions at the ADS Instance but has all rights removed at the Game Instance.

I noticed something which I thought was a bit weird, and it may be nothing… When creating a Role, I get the following:

When I create a Template Role I get this:

When I view either of the created roles, I get this:

I haven’t checked to see if the message is the same in the standalone version, but this would indicate to me that all created roles are functioning as Template Roles when using a Network Edition licence. Perhaps I’m misinterpreting.