I have a 'Owner’ account in IAM. I use this to setup my Db's, storage accounts, reset Caches and all the other fun stuff in IAM.
I also created a SuperUser in IAM. This SuperUser is an employee working at the client. This account has been given the rights for User Admin and Group Administrator.
However, I was toying around with this and I think this Superuser has the ability of removing my 'Owner’ account, or resetting my password. Effectively kicking me out.
Is this correct?
And, how can I prevent this?
I want my client to control own employees, but my accounts out of reach.
Best answer by Anne BuitView original
Are you and the Super user in different tenants? Only root administrators can manage information outside of their own tenant. In case the Super user is in another tenant, the user should not be able to remove any users outside his tenant.
No, same tenant. I my testing environment I have only 1 tenant.
I created a user, as the App Owner.
Logged in as the newly created user. And deleted the first account that created me.
I tried it twice, and both times worked. But should that not be the case?
In a way it makes sense, both users are in the same tenant, same grid. Just click delete, and Poof, it's gone.
But I believe one should not defy it's creator.
Hi Blommetje, this is indeed a situation where you’d place the super user in a different tenant.
A user administrator is indeed allowed to modify all users, including other administrators. This is debatable but currently how things work.
However, the user administrator is limited to managing users of its own tenant. Having the owner/root admin in a different tenant should resolve the problem.
Thanks Anne, will fiddle with this and check if it works as I hope.
Perhaps in the future we can have a checkbox on this, to prevent this. Extra tenants feels a bit more complicated.
Thinking about this, perhaps we can have a setting in the Company / Company Type - form, in the user profile.
Here we’ve added the client and our company., so I can easily see/filter users.
If we can check our company as ‘Application manager’ - it will be safe. And no tenancy stuff.
I think to me that would be the easiest.