Skip to main content
Solved

Prevent client from removing my IAM account


Blommetje
Forum|alt.badge.img+13

Hi, 

I have a 'Owner’ account in IAM. I use this to setup my Db's, storage accounts, reset Caches and all the other fun stuff in IAM. 

I also created a SuperUser in IAM. This SuperUser is an employee working at the client. This account has been given the rights for User Admin and Group Administrator. 

However, I was toying around with this and I think this Superuser has the ability of removing my 'Owner’ account, or resetting my password. Effectively kicking me out.

Is this correct? 

And, how can I prevent this? 
I want my client to control own employees, but my accounts out of reach. 

Thanks! 

Alexander

Best answer by Anne Buit

Hi Blommetje, this is indeed a situation where you’d place the super user in a different tenant.

A user administrator is indeed allowed to modify all users, including other administrators. This is debatable but currently how things work.

However, the user administrator is limited to managing users of its own tenant. Having the owner/root admin in a different tenant should resolve the problem.

View original
This topic has been closed for comments

5 replies

Mark Jongeling
Administrator
Forum|alt.badge.img+23

Hi Alex,

Are you and the Super user in different tenants? Only root administrators can manage information outside of their own tenant. In case the Super user is in another tenant, the user should not be able to remove any users outside his tenant.


Blommetje
Forum|alt.badge.img+13
  • Author
  • Partner
  • 209 replies
  • March 10, 2023

No, same tenant. I my testing environment I have only 1 tenant. 

I created a user, as the App Owner. 

Logged in as the newly created user. And deleted the first account that created me. 

I tried it twice, and both times worked. But should that not be the case? 

In a way it makes sense, both users are in the same tenant, same grid. Just click delete, and Poof, it's gone. 
 

But I believe one should not defy it's creator. 

Alex


Anne Buit
Community Manager
Forum|alt.badge.img+5
  • Community Manager
  • 637 replies
  • Answer
  • March 11, 2023

Hi Blommetje, this is indeed a situation where you’d place the super user in a different tenant.

A user administrator is indeed allowed to modify all users, including other administrators. This is debatable but currently how things work.

However, the user administrator is limited to managing users of its own tenant. Having the owner/root admin in a different tenant should resolve the problem.


Blommetje
Forum|alt.badge.img+13
  • Author
  • Partner
  • 209 replies
  • March 12, 2023

Thanks Anne, will fiddle with this and check if it works as I hope. 
Perhaps in the future we can have a checkbox on this, to prevent this. Extra tenants feels a bit more complicated.


Blommetje
Forum|alt.badge.img+13
  • Author
  • Partner
  • 209 replies
  • March 20, 2023

Thinking about this, perhaps we can have a setting in the Company / Company Type - form, in the user profile. 

Here we’ve added the client and our company., so I can easily see/filter users. 

If we can check our company as ‘Application manager’ - it will be safe. And no tenancy stuff. 

I think to me that would be the easiest. 
 


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings