Inheritance of rights in user management

Started by Beda, May 30, 2013, 10:34:50 PM

Previous topic - Next topic

Beda

Currently, user with a right to "manage users" is able to change its own rights (which gives him power of a superuser). This solution works and is documented, which is good.
Unfortunately it is not possible to create a user with restricted rights (non-superuser) which can create new users.

I'm afraid that changing user management policy in NetXMS is not a simple task, nevertheless I tried to formulate some rules that could be used.
Let Bob be one of users:
0 - Bob can't change his own rights.
1 - Bob can't grant another user (or group) a right that Bob doesn't have.
2 - Bob can't remove another user (or group) a right that Bob doesn't have.
3 - Bob can't add users to groups that have at least one right that Bob doesn't have.
4 - Bob can't remove users from groups that have at least one right that Bob doesn't have.
5 - Bob can't delete user that have at least one right that Bob doesn't have.
6 - Other actions are allowed to Bob.

In another words these rules prevent Bob from changing his own rights, but allow him to manipulate with rights of all other users (but only with rights that Bob has). E.g. if Bob can only "Send SMS" and "Manage users", he can prevent (or grant) arbitrary user from sending SMS, but he isn't allowed to manipulate with "View event log" right of any user (including Bob himself).

Maybe this solution is too crazy, but I think that possibility to create a non-superuser which can create new users could be a helpful feature.