tochinet
commented
1 month ago This has changed since the release that was tested when this issue was created.
- Now platformAdmin creating a user (in the User module) can only create other PlatformAdmin users. This is certainly acceptable, but potentially error-prone, I'd recommend some kind of warning or specific indications to remind that fact to the user.
- It is also logical that RegulatorUsers have to be created by the RegulatorAdmin. However, they should be at least visible for the PlatformAdmin.
- The las paragraph may also have evolved : users created (using teh Users module) by teh PA are also PA, so there must be no affiliation. But at least some of them cannot login : 2FA registration, is successful, but after inputting a valid token, they are sent back to the login screen.
At the moment, the platformAdmin role is limited to CRUD RegulatorAdmin (and other PlatformAdmin). But we can expect that all the RegulatorAdmin(s) and RegulatorUser(s) will have (at least for the first months after onboarding) limited experience and could need some help to correct errors (like users without affiliation, etc.)
The simple way to solve that is to allow the PlatformAdmin to CRUD all "regulations", "regulators", "sectors" (like now), but also "companies" and "users", including the affiliation of users to companies or regulators + "admin" role, but excluding mix of both.
There should be no access to incidents for the PlatformAdmin.
At this moment, the users created by the PlatformAdmin have no association atall, hence theses users can login, but are "outside the protocol" and can't do anything useful. Correcting this and other errors shouldn't imply a manual modification in the database !