I try to centralize all user config in users.yml. So something like this is what I had in mind:

users:
  amir:
    email: ""
    name: Amir
    password: ...
    filter: ...
    actions: true|false
    shell: true|false

Introducing new ENV var wouldn't be needed. It could also be something like roles: actions|shell. But that might not work because one should be able to disable it.

And another question, what should happen if shell is true but shell hasn't been enabled in the UI? Should it only enable for that user?

With this user configuration, what should I do with users who are logged in via proxy? I believe that if it is globally disabled, it doesn't matter what the user has activated, as we are looking at the global status. I have already implemented the rbac option.

I also added permission to download logs

If you are going to implement role based then I would want it to be easy. Let's say the UI does need to have it enabled. Then it could be:

roles:shell|actions|download

Then it would be all by default. Don't introduce custom roles because that's more work and confusion.

The nice part is that it can easily because used with proxy by providing the right role in header.

Once you send PR I can provide more details.

I guess right now I just don't see a way to pass the roles from an OIDC/SSO provider via proxy at all, other than with a static value/logic that would have to be written-into and parsed at the proxy.

If you make Dozzle look for customizable OIDC 'group' names in the header (which I imagine is just a string), then that allows Dozzle permissions be set at the SSO provider which is standard practice over a custom proxy config.

I could be totally out to lunch too.

First, let's make sure the bug fix worked. Let me know. Then I'll figure out the rest. 🙈

Proxy breaks roles. That's a bug. It should default to all in proxy. I think I missed that use case.

#4145 confirmed fixed

Ok let me merge that. Since other folks are probably broken too.

Can you start a new discussion for OIDC groups? I am probably missing something (or trying to to multi-task) and not sure why relabeling groups is even needed.

Absolutely. I tried to explain it the best I could here: #4148

Cheers and thanks for your hard work.