How do I prevent Super Users from doing specific high risks administrative actions? FAQ - How to

In Matomo, Super Users are trusted and can do a lot of important actions. For example they can:

Install new plugins
De-activate plugins
Use the Marketplace and update plugins
Modify Archiving settings
Modify Update & Auto-update settings
Modify Email server settings
Modify Trusted Matomo Hostname
Modify the geolocation settings

When would I want to prevent Super Users from doing these actions?

In cases where you may not 100% trust Super Users, then you may want to prevent Super Users from taking actions that could compromise security (such as installing new plugins). There are several cases where you may not trust Super Users, for example when you provide Matomo as a service to your customers, and Matomo Super Users may be your customers rather than your colleagues. Or when you run Matomo on the same server and account as other web applications, and you want to make sure that Matomo app is locked down as much as possible.

How do I prevent Super Users from doing high risks administrative actions?

Edit your config/config.ini.php file and set the following settings under [General] section:

; Disable installing new plugins and (de)activating plugins.
enable_plugins_admin = 0

; Hide and disable in the UI the following settings:
; - Archiving settings
; - Update settings
; - Email server settings
; - Trusted Matomo Hostname
enable_general_settings_admin = 0

; Disable the geolocation settings
enable_geolocation_admin = 0

You could also disable the Marketplace plugin to prevent new plugins from being installed.

Previous FAQ: How do I check that my Matomo SSL Server is correctly configured?

When would I want to prevent Super Users from doing these actions?

How do I prevent Super Users from doing high risks administrative actions?

Feedback on this page