Open rob84 opened 1 year ago
This is a known escalation path. You should consider user_manager
an admin
for this reason. Instead you should use user_support_manager
.
I want to allow L1 support into the FusionAuth admin UI and limit their capability. There is a user_manager role today, but because this use can manage users and registrations, this mostly makes this role an admin.
I think this is documented somewhere, we'll review our doc to ensure this is stated somewhere.
We have discussed changing the user_manager
role, however I don't know that it is possible to restrict this user from becoming admin
. Even if you restrict the user from changing their own registration, this user could simply create a new user as admin, and then log in as this user.
I suppose the only way to lock it down would be to restrict this user from managing registrations for the FusionAuth app all together. But this would be a breaking change that some may rely upon. But even in this case, they could create themselves a user that is an admin in another app which may or may not have access to create FusionAuth admin users. It is tricky.
Grant yourself the Global Admin role
Description
If a user has the role "user_manager" he is able to get the Global Admin role (admin) in two steps:
The first step should not be possible.
Affects versions
1.42.0
Steps to reproduce
Steps to reproduce the behavior:
Grant yourself:
Expected behavior
It should not be possible to give more roles than your own set.
Screenshots
This user has only the Role "User Manager" (see the empty menu) and can give more rights/roles to other.
Platform
(Please complete the following information)
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
Additional context
nothing