Open bredd opened 9 years ago
Proposed Remedy
AIR proposes to prevent the removal of all roles in the ART UI. This is a good suggestion.
However, we need to consider the situation where a user has roles in more than one unit/organization. The administrator from one organization may legitimately want to remove the last role for the user that they can see. However, the account should persist because the user still has a role in another organization.
Likewise, an administrator should not be able to delete a user if they have a role in another organization to which the admin does not have access.
Presently, users are not visible to state coordinators, district coordinators, or school coordinators if they have a role connected to an entity to which that coordinator does not have access.
This causes two problems -- both of which appear to be bugs to the coordinator.
This "feature" is in place to preserve security. If users remained visible, any coordinator in the system could hijack an existing account by adding a role within their jurisdiction, changing the user's email address, and then forcing a password reset. Users are hidden in order to prevent this kind of security violation. Any remedy must preserve security.