@emre I just noticed an issue: If I create a new role and define management permissions, I cannot give access to
Users.Role List to that role, otherwise they can go in and change the management permissions. That’s is fine.
However, if I give the role access to
Users.User List, which typically you would do, as you would want to say allow a manager to add new users, the user can also delete any user, including the ones with “higher” permissions than themselves. This essentially means if we have a “support” role with full permissions, then a “manager” role with management permissions set but access to create new users, the manager can delete the support user and therefore remove all admin / support access to the system. The only way to fix would be going into the database and re-creating the user manually via the database.
Is there any way we can have something in place to stop this happening?