0

Request: separate privileges for add/remove a user to Entities

Mr. Birl 6 years ago 0

v9.3.0

I have found that it is possible to, effectively, shut-out a user of the Super-Admin Profile, by a lesser privilege account under the Admin Profile.  Using two of the accounts below, glpi and su-sbirl:


    Image 181


With the following privileges under the "Administration" tab for each respective Profile:

  Image 182



When I login as 'su-sbirl', I can go into Users, click on the 'glpi' user and go to the Authorizations tab.  From there I can check the box for "Root entity", go to Actions and proceed with "Delete permanently the relation with selected elements"

Image 183


By removing that Entity,

Image 184


The Super-Admin, glpi, can no longer log in:


Image 185


I can think of some work-arounds to prevent this, but I wonder if there should be additional privileges for adding a user to an Entity as well as removing a user from an Entity.