Security levels inside Managament


#43

@emre I just noticed an issue: If I create a new role and define management permissions, I cannot give access to Users.Role List to that role, otherwise they can go in and change the management permissions. That’s is fine.

However, if I give the role access to Users.User List, which typically you would do, as you would want to say allow a manager to add new users, the user can also delete any user, including the ones with “higher” permissions than themselves. This essentially means if we have a “support” role with full permissions, then a “manager” role with management permissions set but access to create new users, the manager can delete the support user and therefore remove all admin / support access to the system. The only way to fix would be going into the database and re-creating the user manually via the database.

Is there any way we can have something in place to stop this happening?


#44

@emre Products.Product List is not working but Products.Price List Editor working well what might be the issue?


#45

I got it, I needed to restart, Thanks


#46

how about management permissions to add the users and change the password of existing users


#47

Pretty sure you can already do that, you can limit exactly what options under the main settings that people can access and give bespoke permissions


#48

It shows you above how to configure it


#49


#50

Hi Mark,
Did you found any solution to prevent a non-admin users to add a user to a user role with a admin flag?


#51

Jakes, there is a huge thread which I started a while back that can allow a non admin role create a user and only a specific role.

This was perfect, you just create an AMC button and map it to whoever can use it.

Matt