No warning or notification displayed while changing the admin user privilege from admin to normal.

Soniya_panwar · February 28, 2020, 6:36am

Hello,

While changing the admin user privileges from “Administrator” to any other type we didn’t get any warning or notification.

Also, while investigating the bug I found that the default admin user can be deleted and can have its permissions changed from “administrator” to some other type. This could lead to account hijacking considering the fact that any user with administrator role can delete or modify the default admin user.
I wonder if this an expected behavior for the default admin user? If not, would it not be better to disable delete option and user_type options for the default admin user?

Thanks
Soniya

phil.griffiths · February 29, 2020, 11:20am

Hi Soniya

This isn’t a bug but you could consider it a feature request perhaps.

As with root under Linux, once you are the privileged user, you can do stupid things if you want to!

Many may want to disable the default admin account, and use named user accounts with admin rights. This is better for tracking/auditing.

You also have to trust anyone with admin rights to do sensible things. This is no different from any other OS.

Regards
Phil.

Topic		Replies	Views
AWX Administrator - login as a different user AWX Project awx	5	1	August 1, 2018
Notify handler as different user Ansible Project	4	0	March 25, 2014
job template admin -> no notification tab AWX Project awx	1	1	September 13, 2018
Security concerns on user enumeration AWX Project awx	3	0	January 3, 2019
Reset admin password AWX Project	2	3	March 13, 2018

No warning or notification displayed while changing the admin user privilege from admin to normal.

Related topics