Forum GLPI-Project

Mastermixer

Member

From: Germany

Registered: 2013-12-16

Posts: 18

[GLPI 9.1.3] tech user can delete superadmin - how to avoid?

Hi!

Just a question for security reasons:

Is it possible to delete the superadmin account with a tech account?

The tech user must be able to:

- add user
- change user
- delete user

Is it possible to change, add or delete a superadmin only from the superadmin account?

The tech user should not be able to change superuser password or add a new superuser or delete the superuser.

Thanks for the good work!

Greeting,
Mike

pippo

Member

From: Metz (57)

Registered: 2017-01-30

Posts: 44

Re: [GLPI 9.1.3] tech user can delete superadmin - how to avoid?

Hi Mastermixer,

You can change this in :

Administration -> Profiles -> Tech (or the profile you want to modifiy).

In the profile, go to "Administration". You will find a line named "Users" where you can allow or forbid updates, creation, deletions etc... of users.

Hope this will help you.

Pippo

---

GLPI 9.4.6 (additionalfields 1.10.3 + fusioninventory 9.4+2.4 + datainjection 2.7.1 + printtopdf 1.6.0) - PHP 7.4 - MySQL 8.0 Community InnoDB cluster (3 nodes - single primary) - All on CentOS 8

yllen

GLPI-DEV

From: Sillery (51)

Registered: 2008-01-14

Posts: 15,278

Re: [GLPI 9.1.3] tech user can delete superadmin - how to avoid?

You can only delete profile with less rights than your profile

---

CentOS 6.5 - CentOS 7.x
PHP 5.6 - PHP 7.x - MySQL 5.6  - MariaDB 10.2 + APC + oOPcache
GLPI from 0.72 to dev version
Certifiée ITIL (ITV2F, ITILF, ITILOSA)

Mastermixer

Member

From: Germany

Registered: 2013-12-16

Posts: 18

Re: [GLPI 9.1.3] tech user can delete superadmin - how to avoid?

Hi Nelly,

First try: "tech - Root Entity (R)" user can delete a new created superuser with "superuser - Root Entity (R)" profile.

What means "less rights"? Which settings are responsible to decide "less"?

Thanks for your help.

Best regards,
Mike

yllen

GLPI-DEV

From: Sillery (51)

Registered: 2008-01-14

Posts: 15,278

Re: [GLPI 9.1.3] tech user can delete superadmin - how to avoid?

glpi compares value of all rights for each profile.
Has your Tech profile right to manage profile?

---

CentOS 6.5 - CentOS 7.x
PHP 5.6 - PHP 7.x - MySQL 5.6  - MariaDB 10.2 + APC + oOPcache
GLPI from 0.72 to dev version
Certifiée ITIL (ITV2F, ITILF, ITILOSA)

Mastermixer

Member

From: Germany

Registered: 2013-12-16

Posts: 18

Re: [GLPI 9.1.3] tech user can delete superadmin - how to avoid?

No, the tech profile has no right to manage profiles.
The first five checkmarks and the add external are set for the administration (user).
The tech user is recursive (R).

Which settings are responsible next?

Thank you.

Best regards,
Mike

yllen

GLPI-DEV

From: Sillery (51)

Registered: 2008-01-14

Posts: 15,278

Re: [GLPI 9.1.3] tech user can delete superadmin - how to avoid?

For your tech profile, don't allow right to delete user

---

CentOS 6.5 - CentOS 7.x
PHP 5.6 - PHP 7.x - MySQL 5.6  - MariaDB 10.2 + APC + oOPcache
GLPI from 0.72 to dev version
Certifiée ITIL (ITV2F, ITILF, ITILOSA)

Mastermixer

Member

From: Germany

Registered: 2013-12-16

Posts: 18

Re: [GLPI 9.1.3] tech user can delete superadmin - how to avoid?

Ok, this works and a tech user can only create users with a profile that has equal or less rights.

If a user has to be deleted, the team leader will do this with different rights (profile).
But in this case we have the same problem as before... this means, only superadmins should have the right to delete users?

Best regards,
Mike

yllen

GLPI-DEV

From: Sillery (51)

Registered: 2008-01-14

Posts: 15,278

Re: [GLPI 9.1.3] tech user can delete superadmin - how to avoid?

For me, yes.
A superadmin profile should be given to very few people. The superadmin is the global manager of all the entity, it's not a technician.

---

CentOS 6.5 - CentOS 7.x
PHP 5.6 - PHP 7.x - MySQL 5.6  - MariaDB 10.2 + APC + oOPcache
GLPI from 0.72 to dev version
Certifiée ITIL (ITV2F, ITILF, ITILOSA)