Any role that can create users can create Super Admin user.

[branislav-brincko]

Bug report

Required System information

• Node.js version: 16.17.1
• NPM version: 9.1.3
• Strapi version: 4.9.0
• Database: Postgresql
• Operating system: macOS 12.5.1
• Is your project Javascript or Typescript: Typescript

Describe the bug

Strapi made "Custom Roles & Permissions" available for Free in Strapi v4.8. I am dealing with the exactly same issue as nicely described here on Strapi forum:
https://forum.strapi.io/t/strapi-role-hierarchy-restrict-the-ability-to-create-new-users-with-the-superadmin-role-for-users-of-a-custom-role/4691

TLDR: user with custom role, that can create users, can create ANY kind of user, including Super Admin, which is security problem.

[utkarshk384]

Is anyone working on this issue?

If not I'll work on it with some guidance.

[derrickmehaffy]

Discussed with @alexandrebodin and confirmed this is not a bug, our role system is not hierarchical meaning roles can't and won't depend on each other. We could put a single rule in just for super-admins but that would need to be an entirely different permission and it's not what we want from within our roles system.

The system is based on actions and by giving a user the ability to create others there is some level of trust that must be given to that user, alternative is via our SSO system which is a feature we sell in Strapi enterprise.

Marking this as closed as it's not something we plan to implement for non-sso.