Bug 1412450

Summary: Tenant admin can create a super admin
Product: Red Hat CloudForms Management Engine Reporter: Satoe Imaishi <simaishi>
Component: UI - OPSAssignee: Šimon Lukašík <slukasik>
Status: CLOSED CURRENTRELEASE QA Contact: Pavol Kotvan <pakotvan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.7.0CC: hkataria, jhardy, mpovolny, obarenbo
Target Milestone: GAKeywords: TestOnly, ZStream
Target Release: 5.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 5.8.0.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1413123 1413180 (view as bug list) Environment:
Last Closed: 2017-06-12 16:03:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1413123, 1413180    

Description Satoe Imaishi 2017-01-12 03:34:35 UTC 
ManageIQ issue https://github.com/ManageIQ/manageiq/issues/13291:

Steps to reproduce:

1. Create child tenant: "My tenant"
2. Create group with:
  - "My Tenant admin group" with role: "EvmRole-tenant_administrator"
  - Tenant: "My tenant"
3. Create tenant admin user "tenantadmin" with group "My Tenant admin group"
4. login as tenant admin

I can now create a new user with the group "EvmRole-super_administrator"

This escalates the privileges of a tenant admin to global admin, defeating the tenant separation.
Comment 2 Satoe Imaishi 2017-01-12 03:35:48 UTC 
PR: https://github.com/ManageIQ/manageiq-ui-classic/pull/127