Request: separate privileges for add/remove a user to Entities

Mr. Birl 5 years ago 0


I have found that it is possible to, effectively, shut-out a user of the Super-Admin Profile, by a lesser privilege account under the Admin Profile.  Using two of the accounts below, glpi and su-sbirl:

    Image 181

With the following privileges under the "Administration" tab for each respective Profile:

  Image 182

When I login as 'su-sbirl', I can go into Users, click on the 'glpi' user and go to the Authorizations tab.  From there I can check the box for "Root entity", go to Actions and proceed with "Delete permanently the relation with selected elements"

Image 183

By removing that Entity,

Image 184

The Super-Admin, glpi, can no longer log in:

Image 185

I can think of some work-arounds to prevent this, but I wonder if there should be additional privileges for adding a user to an Entity as well as removing a user from an Entity.