Roles and Security flaw

Roles

So we have roles.
Roles are for permission restrictions.

We have a Admin role.
We have a Server role.
We have a Bartender role.
We have a Manager role.

Everything is fine, UNLESS you have the need to grant any role access to the Manage interface.

Why would anyone need access to this?
Managers (or whichever role you want) often need access to the Menu items to change prices.

Anyone you grant access to the Manage screen, has access to become an Admin or change roles and perms to whatever.

Seems like such a security oversight.

Any suggestions or are there any updates coming to address this?

You can
Restrict manage sections in the roles with Management Permissions section. Even if they are admin if you restrict the screen they won’t have access.

Do you mean here?

Screen Shot 2022-08-08 at 8.23.16 AM

If you uncheck OPEN MANAGEMENT, then you can not edit any menu items.

If you DO allow, then they can edit the menu as we want, and they can still make themselves an admin.

BAD.

No I don’t please see above. It seems you have not found the manage permissions

Ok I will look into that, Thanks

We added this in 2016 due to the demand for restricting this screen by role.

The security levels edits that you provided works well to limit roles even further, I do like that.
However see if you can help with this.

Let’s say in a restaurant will lots of staff, you have a hostess, and this hostess is not in the computer as a user yet,there is no need.

Then it’s a busy night, and several have called in sick and now we need this hostess to be in the system and working as a server.

The manager on duty, as you can see above now has limits like we want, but we need the manager to be able to add users.

Might not seem like a problem, you could simply add permissions to access the user portion.
HOWEVER then they would be able to add a user, and make that user an admin role.

Seems like an oversight.

Is there a way to limit that, or can we somehow set the system to have a button or something to add a default user that you already have setup with a role?

You can create custom automation for that, which will insert new user into database and all you need to do is define the PIN number.

Any info on where this is? Is there a tutorial?

No there will not be a tutorial for this. You will need to use built in JScript engine and SQL

It is an internal api call to create users. This can be automated and I have seen some resellers build it into a management entity screen.