You are not logged in.

Announcement

 Téléchargez la dernière version stable de GLPI      -     Et vous, que pouvez vous faire pour le projet GLPI ? :  Contribuer
 Download last stable version of GLPI                      -     What can you do for GLPI ? :  Contribute

Pages: 1

#1 2013-07-03 16:00:20

geoalbi
Member
From: Romania
Registered: 2012-12-18
Posts: 182

Assigning profiles to users

I know that a profile with the users w and profiles r can assign to a user a profile lower or equal to the profile used.
This is obvious and is used to avoid a privilege escalation attack.

My question is: how does GLPI order the profiles? Which profile is lower and can be assigned by the current user and which is higher and will not be displayed in the profiles drop-down in the "Add a empowerment to a user" menu?

Should a "superior" profile have all the rights of the inferior, plus user=w and profiles=r?

I'm trying to delegate this and I get inconsistent results. For instance I have the built-in admin that can not assign a profile that has no administrative privileges.

Last edited by geoalbi (2013-07-03 16:03:08)

Offline

#2 2013-07-03 16:32:00

geoalbi
Member
From: Romania
Registered: 2012-12-18
Posts: 182

Re: Assigning profiles to users

geoalbi wrote:

I know that a profile with the users w and profiles r can assign to a user a profile lower or equal to the profile used.
This is obvious and is used to avoid a privilege escalation attack.

My question is: how does GLPI order the profiles? Which profile is lower and can be assigned by the current user and which is higher and will not be displayed in the profiles drop-down in the "Add a empowerment to a user" menu?

Should a "superior" profile have all the rights of the inferior, plus user=w and profiles=r?

I'm trying to delegate this and I get inconsistent results. For instance I have the built-in admin that can not assign a profile that has no administrative privileges.

The question for the developers stands, as we need to understand this behavior better.

But in the meantime I tested and validated my hypothesis: a "superior" profile should have all the rights of the inferior, plus user=w and profiles=r.
The "inferior" profile had "Create a ticket" right that was missing from the "superior". Added that to the later and had been able to see the intended "inferior" profile in the "Add a empowerment to a user" Profile drop-down.

Last edited by geoalbi (2013-07-03 16:57:02)

Offline

Pages: 1

Board footer

Powered by FluxBB