Do admins have the right to read private channels?

Can admins read private channels?

Hello, @KFleischerDRV

Private channels are only visible to select team members by default as well as the channel owner and admin. System admins do not have access to private channels.

Is there any specific use case that you would like to share from your end for this scenario? Is there any private information that the system admin needs to extract from any of the channels?

Hi @ahmaddanial ,
you write that

  • members that are invited in the channel
  • channel owner (the person that created it? How does this person differ from “invited members”)
  • admins
    have the right to look inside private channels.
    Sysadmins not.

What role does an “admin” need to have to see those channels? In the system console in our matermost there is only the “system admin” role and the “member” role.

Hi, @KFleischerDRV

The channel owner is the user who created the channel, which is determined by the following query. For example, this query shows that the user ahmad.danial was the creator of the Membership channel:

mysql> SELECT u.Username, c.DisplayName FROM Users AS u LEFT JOIN Channels AS c ON u.Id = c.CreatorId WHERE DisplayName = "Membership";
| Username     | DisplayName |
| ahmad.danial | Membership  |
1 row in set (0.00 sec)

The channel admin role needs to be configured within the channel itself. For example:

When checked from the database level using the following query, we can see that user zoidberg is the channel admin of the Membership channel indicated by SchemeAdmin of the channel:

mysql> SELECT u.Username, cm.SchemeUser, cm.SchemeAdmin, cm.SchemeGuest, c.DisplayName FROM ChannelMembers AS cm LEFT JOIN Users AS u ON cm.UserId = u.Id LEFT JOIN Channels AS c ON cm.ChannelId = c.Id WHERE u.Username = "zoidberg";
| Username | SchemeUser | SchemeAdmin | SchemeGuest | DisplayName |
| zoidberg |          1 |           1 |           0 | Membership  |
| zoidberg |          1 |           0 |           0 | Town Square |
| zoidberg |          1 |           0 |           0 | Off-Topic   |
3 rows in set (0.00 sec)

If a System Admin who belongs to a channel leaves a private channel:

They can no longer search for it once it is done.

Thanks for that elaborate answer.
I’m a bit puzzled as I do not see the role “channel admin”. Neither can I set it inside the channels “manage Members” nor elsewhere.
Is this a feature of the Enterprise version only or when was this role introduced?

*) I see its Enterprise only…

Thus in the community version of MM only the people that are currently in a private channel can see the private channel. Correct?

Hello, @KFleischerDRV

Yes, the Channel Admin is a feature available for Enterprise deployments . To answer your question, yes.

Only the participants of the Private channel are able to access it. Users who are not included in the Channel Member list cannot see it.

1 Like

While not having access to a Mattermost database at the moment I am willing to bet that a sysadmin could still read these kind of channels by connecting directly to the database. The only way to prevent this kind of access would be a kind of end to end encryption of channels.

I dont understand. Sysadmin is a Mattermost role. Not a OS role or something.
I’m a sysadmin on my lokal MM installation. How should I access the MM database directly? This sounds a bit academical.

Then we have different understandings of what a “Sysadmin” is. For me its someone with access to the underlying system and infrastructure.

With your mysql or postgres command line for example.

Sure. Just be aware that without end to end encryption a sufficiently skilled admin can do anything he wants.