Right now the system allows a ‘Normal User’ of AWX to see all the other users including administrators of the system and their information. The user’s information or Id may be leveraged in attacks such as password spraying etc. Is there a way to limit the visibility of other user’s information and list depending on the user’s role in AWX? i.e only administrators should be able to see the full extensive list of all users of the system. I would appreciate any response on this matter.
I believe you can see who is in your organization + admins, but you cannot see every single user of the system.
If you create a user with no organization assignments, that user can only see the admins.
I can understand the concern, but regular users cannot see EVERYONE on the system, as you stated.
Thanks,
John Foley
LOC
In addition to this, Normal Users have the ability to delegate their resources (such as credentials they own) to other users. In order to do this, they need to be able to access the list of users in their team/organization.
Thanks guys for your prompt responses. It makes sense now why the users are able to see information of other users from same team/organization.