In Security > User, you can give users the "Manage Users" permissions, which will allow them to add, edit or delete Citect user account. However, there is no built-in restriction on what account can they add or edit.
For example, if you give "Manage Users" to a Privilege 5 account, that account can create a Privilege 1..8 account, bypassing the system's security. This was tested with [Privilege]Exclusive=1 and =0 as well, same result.
This particularly applies to site where you want to give Manager-level account "Manage Users" (so they can add/remove user as new employees join/leave) but you don't want to give them Engineer-level access.
A proposed solution would be that "Manage Users" only allow the account to create an account that's the same or lower privilege than the "creating" account. If a Priv 5 account is creating, they should only be able to create account of Priv 5, Priv 4 or below.
Guest
|
Idea business value
This ideas would greatly benefit security conscious sites that takes advantage of the "Manager Users" feature. This would decrease project development time and provides a layer of security that was previously missing. |
|
| Idea priority | 4 – Important to my company |
