Bug 1412450 - Tenant admin can create a super admin
Summary: Tenant admin can create a super admin
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: UI - OPS
Version: 5.7.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: GA
: 5.8.0
Assignee: Šimon Lukašík
QA Contact: Pavol Kotvan
Depends On:
Blocks: 1413123 1413180
TreeView+ depends on / blocked
Reported: 2017-01-12 03:34 UTC by Satoe Imaishi
Modified: 2018-03-14 10:02 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1413123 1413180 (view as bug list)
Last Closed: 2017-06-12 16:03:57 UTC
Category: ---
Cloudforms Team: ---
Target Upstream Version:

Attachments (Terms of Use)

Description Satoe Imaishi 2017-01-12 03:34:35 UTC
ManageIQ issue https://github.com/ManageIQ/manageiq/issues/13291:

Steps to reproduce:

1. Create child tenant: "My tenant"
2. Create group with:
  - "My Tenant admin group" with role: "EvmRole-tenant_administrator"
  - Tenant: "My tenant"
3. Create tenant admin user "tenantadmin" with group "My Tenant admin group"
4. login as tenant admin

I can now create a new user with the group "EvmRole-super_administrator"

This escalates the privileges of a tenant admin to global admin, defeating the tenant separation.

Comment 2 Satoe Imaishi 2017-01-12 03:35:48 UTC
PR: https://github.com/ManageIQ/manageiq-ui-classic/pull/127

Note You need to log in before you can comment on or make changes to this bug.