Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Grant yourself the Global Admin role #2170

Open
rob84 opened this issue Mar 22, 2023 · 1 comment
Open

Grant yourself the Global Admin role #2170

rob84 opened this issue Mar 22, 2023 · 1 comment
Labels
architecture Feedback on designed behavior

Comments

@rob84
Copy link

rob84 commented Mar 22, 2023

Grant yourself the Global Admin role

Description

If a user has the role "user_manager" he is able to get the Global Admin role (admin) in two steps:

  1. He creates a new user and grant the role "admin"
  2. login with the new created user and grant the original user the admin role.

The first step should not be possible.

Affects versions

1.42.0

Steps to reproduce

Steps to reproduce the behavior:

  1. Go to 'Users'
  2. Click on 'Add user'
  3. Select Tenant Default (FusionAuth)
  4. fill the form and set a password
  5. Go to 'Users' and search the new user
  6. Click on 'Add registration'
  7. Select Application 'FusionAuth'
  8. Select Role 'admin' this is the main issue / you can also give access to other roles that you don't have
  9. Click on 'Save'

Grant yourself:

  1. Login with the new user
  2. search your origin user
  3. grant user role 'admin'

Expected behavior

It should not be possible to give more roles than your own set.

Screenshots

This user has only the Role "User Manager" (see the empty menu) and can give more rights/roles to other.
image

Platform

(Please complete the following information)

  • Device: Desktop
  • OS: Windows
  • Browser + version: Chrome & Edge
  • Database MySQL
  • FusionAuth Version 1.42.0

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

Additional context

nothing
@robotdan
Copy link
Member

robotdan commented Mar 22, 2023
edited

This is a known escalation path. You should consider user_manager an admin for this reason. Instead you should use user_support_manager.

I want to allow L1 support into the FusionAuth admin UI and limit their capability. There is a user_manager role today, but because this use can manage users and registrations, this mostly makes this role an admin.

I think this is documented somewhere, we'll review our doc to ensure this is stated somewhere.

We have discussed changing the user_manager role, however I don't know that it is possible to restrict this user from becoming admin. Even if you restrict the user from changing their own registration, this user could simply create a new user as admin, and then log in as this user.

I suppose the only way to lock it down would be to restrict this user from managing registrations for the FusionAuth app all together. But this would be a breaking change that some may rely upon. But even in this case, they could create themselves a user that is an admin in another app which may or may not have access to create FusionAuth admin users. It is tricky.

@robotdan robotdan added the architecture Feedback on designed behavior label Sep 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
architecture Feedback on designed behavior
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@robotdan @rob84