Security levels inside Managament

markjw · November 4, 2016, 4:03pm

@emre I just noticed an issue: If I create a new role and define management permissions, I cannot give access to Users.Role List to that role, otherwise they can go in and change the management permissions. That’s is fine.

However, if I give the role access to Users.User List, which typically you would do, as you would want to say allow a manager to add new users, the user can also delete any user, including the ones with “higher” permissions than themselves. This essentially means if we have a “support” role with full permissions, then a “manager” role with management permissions set but access to create new users, the manager can delete the support user and therefore remove all admin / support access to the system. The only way to fix would be going into the database and re-creating the user manually via the database.

Is there any way we can have something in place to stop this happening?

stephencoduor · June 11, 2018, 8:58am

@emre Products.Product List is not working but Products.Price List Editor working well what might be the issue?

stephencoduor · June 11, 2018, 12:35pm

I got it, I needed to restart, Thanks

muthoga · July 19, 2018, 5:42am

how about management permissions to add the users and change the password of existing users

RickH · July 19, 2018, 7:39am

Pretty sure you can already do that, you can limit exactly what options under the main settings that people can access and give bespoke permissions

RickH · July 19, 2018, 7:43am

It shows you above how to configure it

RickH · July 19, 2018, 7:44am

Jakes · August 22, 2018, 7:32am

Hi Mark,
Did you found any solution to prevent a non-admin users to add a user to a user role with a admin flag?

GreatShakesBar · August 22, 2018, 9:46am

Jakes, there is a huge thread which I started a while back that can allow a non admin role create a user and only a specific role.

This was perfect, you just create an AMC button and map it to whoever can use it.

Matt