Hi,
Is there a way to restrict an admin when creating or editing users will only be able to add user roles that are the same or junior to them?
So in bookings we have 3 user roles:
Administrator (Build Admin)
↓
Application Admin (Will be creating/editing users)
↓
Service Agent (Doesn’t even have access to the users screen)
Application admin shouldn’t be able to create Build admin
Thanks
Robin
Note for future reference.
The Build Admin should have no restrictions whatsoever, the heirarchy of role permissions, as to whether one role can add another boils down to whether the next role has restrictions that the former doesn’t.
For instance if I want to restrict App Admin from being able to Add or modify Build Admin then I need to ensure that Build Admin can do something that App Admin can’t. If there are limited options to be able to achieve this, the obvious one is that Build Admin has Build Access where the App Admin doesn’t… but still you may have two similar roles App Admin and Super Admin.
Given the above 2 similar roles you could add an object (one that might never be used) call it ‘Super’, or similar… and then deny ‘Read’ access to that object for all roles barring the Super Admin.
This should prevent an App Admin ever being able to add Super Admins or to modify existing Super Admins, since if this were allowed then it might enable privilege escalation. This does mean that initially the Build Admin would likely be required to add the first Super Admin, but after that it should be OK.