You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I want to allow L1 support into the FusionAuth admin UI and limit their capability. There is a user_manager role today, but because this use can manage users and registrations, this mostly makes this role an admin.
I think this is documented somewhere, we'll review our doc to ensure this is stated somewhere.
We have discussed changing the user_manager role, however I don't know that it is possible to restrict this user from becoming admin. Even if you restrict the user from changing their own registration, this user could simply create a new user as admin, and then log in as this user.
I suppose the only way to lock it down would be to restrict this user from managing registrations for the FusionAuth app all together. But this would be a breaking change that some may rely upon. But even in this case, they could create themselves a user that is an admin in another app which may or may not have access to create FusionAuth admin users. It is tricky.
Grant yourself the Global Admin role
Description
If a user has the role "user_manager" he is able to get the Global Admin role (admin) in two steps:
The first step should not be possible.
Affects versions
1.42.0
Steps to reproduce
Steps to reproduce the behavior:
Grant yourself:
Expected behavior
It should not be possible to give more roles than your own set.
Screenshots
This user has only the Role "User Manager" (see the empty menu) and can give more rights/roles to other.
Platform
(Please complete the following information)
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
Additional context
nothing
The text was updated successfully, but these errors were encountered: