admins are able to change the password of other admins

[kesslwovv]

an evil admin could lock all other admins out of their accounts by changing their passwords

fix: admins cannot edit same-level admins

[lchristmann]

This (global admins being able to edit, demote,... other global admins) is the standard behaviour for Global Admin roles as for example in the Microsoft 365 Admin Center.

Global Admins have almost unlimited access to your organization's settings and most of its data.

Therefore Microsoft recommends 3 measures: (see link above)

• Have 2 to 4 Global Admins: ...limit the number of Global Admins as much as possible...
• Assign the least permissive role: ...giving admins only the access they need to get the job done...
• Require multi-factor authentication for admins

For convencience's sake and not being worth the implementation difficulties, we ignore the 3rd point. But we should take the first two points to heart. This should solve the problem.

Evil admins are indeed a danger, but that should be prevented with organisational measures (having only very trusted global admins), not technical ones.

After all Global Admins have some valid use cases too, to edit (for helping) or delete (inactive) other admins, or demote one who does not longer need to be a Global Admin.

[lchristmann]

However, you're right that specifically being able to change the password of someone else is unusual. All else is okay, but this is not. This enables one to hijack other accounts, i.e. change their password and then log in as that person and see all their personal data.

Currently this can happen across this whole hierarchy (I've added comments on who can manage who). But this should absolutely be impossible.

• only a users himself should be able to change his password in the portal
• admins may only trigger the sending of a password reset email | admins may never set a password for another user!!

Now there would still be the path of hijacking as an admin by setting its email to one that you own, THEN resetting the password and change the email back. That could be handled as such:

• only a user himself or global admins can change an email address
• global admins should be discouraged from abusing this, by (1) their actions being logged and (2) the user being notified about what value his email is being changed to

[linusgke]

Taking your example of Microsoft365, global admins there also have the permission to change a user's password.

Password reset mails however seem like a good option to have! Keeping the amount of global admins at a minimum is very important! This role should only be given to very trusted persons.

[linusgke]

https://github.com/WaldorfConnect/portal/issues/46 Referring to this issue!

[lchristmann]

Taking your example of Microsoft365, global admins there also have the permission to change a user's password.

Ahh I think there are differences between managed Azure AD and on-premise Azure AD. (I've only been Global Admin of a managed one.)

It seems to me, in managed instances you can only initiate a password reset, i.e. trigger a mail to the user and you'll never see the real password. But in on-premise, you can reset the password by typing a new one in plain text as it states here. In any case, on next login he is then prompted to change it.

I'm still voting for the first two bullet points with a slight change:

• Password setting only by user himself.
• Password resetting by user or any admin who is allowed to manage him (even school admin). But without seeing the password in plain text. Just have a "Reset password" button as such.

The latter two reagrding the email could well be ignored in my opinion.