Administrator account: Where, when and how?

Question

Where, when and how to create the administrator account/user for a private website?

So what I am asking is what's the preferable technique for creating that first administrator account/user. In my case it's for a private webapplication. I am talking about the account/user that will own the application and will if needed create/promote the other administrators. I guess you can this guy the root user?

Here are a few ways I encountered in other websites/webapplication.

Installation wizard:
You see this a lot in blog software or forums. When you install the application it will ask you to create an administrator user. Private webapplication will most likely not have this.

Installation file:
A file you run to install your application. This file will create the administrator account for you.

Configuration files:
A configuration file that holds the credentials for the administrator account.

Manually insert it into a database:
Manually insert the administrator info into the database.

Answer 1

I see you tagged ruby on rails here. In RoR you would probably use the seeds.rb file under /your_app/db.

If you are using asp.net, I might assume you are using MSSQL or maybe Oracle. Having a stored proc that runs as an install script might do the job.

I have seen php apps using an install.php file that when run once installs the necessary data into the database and then tells the installer to delete the file before the app will run.

So there are three ways to deal with it.

Answer 2

If you have user accounts on your website (and I see you have them), config file with administrator's credentials is very awkward. This solution enforces you to duplicate a big part of authentication logic. Better keep the account in database.

I understand you are preparing application for yourself, not delivering it to your customers. Preparing installation wizard or installation files seems to be waste of time.

I would do the simplest - just raw insert. Pros: no extra work, same authentication mechanism as for other users. If you are using some kind of database migrations, you could create a migration which create a root account with some dummy password you can change later.

Answer 3

Installation wizard: - definitvely the best approach. Clean, sure and user-friendly. Should be integrated with application installer.

Installation file: - ok, but only if you have one and only script to run. Having more -> problems and potentially security flaws (all the folks who forget to delete this file after ...)

Configuration files: To avoid. You are demanding user to know PHP, internals of your app, maybe server side configuration (anything above ftp can be "difficult")

Manually insert it into a database: To avoid * 2.

In addition, two last solutions are impossible if you are using password hashing (ie. md5 or sha1 with site specific salt) - which is quite an obligation today.

Answer 4

When:

On a bootstrapping phase. Someone has suggested seeds.rb. I personally prefer to use the bootstrapper gem (with some addtions that allow me to parse csv files).

This action allows you to create a rake task which can be invoked like this:

rake db:bootstrap

This will create the initial admin user, as well as any seeding data (such as the list of countries, or a default blog format, etc). The script is very flexible. You can make it ask for a password, or accept a password parameter, if you feel like it.

How:

In all cases I use declarative_authorization in order to manage user permissions.

Your admin user must return a role called 'admin' (or whatever name you choose) on the list of roles attached to it. I usually have 1 single role per user, mainly because I can use role inheritance (e.g. admins are also editors by default). This means that on my database I've got a single field for users called "role_id". 0 is usually for the admin role, since it is the first one created.

Where:

A specific file inside db/bootstrap/users.rb (or yaml, or csv) specifies the details of a user with the admin role activated. The rake db:boostrap order parses that file and creates the user accordingly.