I created two roles
1) ‘Super Admin’ with access to everything on the ACL list
2) ‘Minimal Admin’ with access to ‘Manage Orders’ and ‘Manage Customers’ only.
User 'Test1' was added only the role ‘Minimal Admin’
Logging in as user 'Test1', I searched the customers for ‘Test1’. I then clicked the ‘Customer Roles’ and added 'Test1' to ‘Super Admin’
After that 'Test1' could do everything.
What did I do wrong?
Self Promotion - ACL
- 1
- 2
MVP
Bronze Solution Partner
- 2898
- 23165
- 1/8/2010
- United States
SOLUTION
first do what "haydie" suggested you to do, if still it's not working THEN DO THIS
Login as ADMIN, go to manage customers > test 1 (Now in the Test 1 username account make this username as ADMIN)
i know it sounds weird that if we are making someone admin then it will have all the powers but trust me this is the solution
after checking the "Is Administrator" checkbox SAVE IT
AND now login with TEST1 and go to admin section and you will see restrictions with many thing saying " You dont have permission to do this"
Hope It Helps
first do what "haydie" suggested you to do, if still it's not working THEN DO THIS
Login as ADMIN, go to manage customers > test 1 (Now in the Test 1 username account make this username as ADMIN)
i know it sounds weird that if we are making someone admin then it will have all the powers but trust me this is the solution
after checking the "Is Administrator" checkbox SAVE IT
AND now login with TEST1 and go to admin section and you will see restrictions with many thing saying " You dont have permission to do this"
Hope It Helps
MVP
- 1794
- 14506
- 10/7/2009
- United Kingdom
just found out something interesting - if you create a customer role and then enable the ACL but have not
given yourself a role with any permissions,
you will not have any access to pages in admin !
for those of you (sorry, for those of us ! ) who are this daft,
database table NOP_Setting
ACL.Enabled set it to false
and login in again
given yourself a role with any permissions,
you will not have any access to pages in admin !
for those of you (sorry, for those of us ! ) who are this daft,
database table NOP_Setting
ACL.Enabled set it to false
and login in again
- 15
- 75
- 10/15/2009
- United Kingdom
Thanks you for the suggestions, however I think I may have caused confusion with my question.
The issue here is that the permission granted to Administer 'Customers' currently bestows the ability to assign those 'Customers' to different roles. This includes assigning customers to roles with higher security permissions than the individual doing the administering has. This problem is exemplified by the ability of that lower level administrator I described previously, being able to add their own customer account to (say) a Global Administrator role - i.e. 'self promotion' - granting themselves greater permissions than they were given.
In the sample data you can try this by giving a member of the 'Staff' role the right to administer customers, log in as that member and with a single click that member can make themselves or any other user a 'Global Administrator'. They can, of course, probably also delete all 'Global Administrator's' locking everyone out.
Being able to administer customers is probably the most common use case for staff using the store as really this is the reason why we usually need staff in the first place! Our staff need to apply a discount role to a customer based on their association with us, and *administering* this is essentially mixed in with *administering* staff security roles under the current design.
As a short-run solution it might be useful to:
1) Prevent anyone who does not have a particular action permission the ability to add customers to roles that DO have this action permission (i.e. you can only promote up to your own permission level)
2) Only roles with the 'Manage ACL' permission can change the 'Is Administrator' status of a customer or delete a customer who is an Administrator OR (alternatively) delete a customer whom has the 'Manage ACL' permission.
However, this is a halfway fix and I think a better overall approach is needed. A simple change would separate security roles from other types of roles, but a clearer user/group/permission design overall would help - possibly using a standards based, perhaps token design using something like SAML2.0, to develop an interoperable, federated and secure trust based approach to this. This would also allow the nop security model to federate easily with trusted external sites and services - some of which I see are now included with v1.5.
The issue here is that the permission granted to Administer 'Customers' currently bestows the ability to assign those 'Customers' to different roles. This includes assigning customers to roles with higher security permissions than the individual doing the administering has. This problem is exemplified by the ability of that lower level administrator I described previously, being able to add their own customer account to (say) a Global Administrator role - i.e. 'self promotion' - granting themselves greater permissions than they were given.
In the sample data you can try this by giving a member of the 'Staff' role the right to administer customers, log in as that member and with a single click that member can make themselves or any other user a 'Global Administrator'. They can, of course, probably also delete all 'Global Administrator's' locking everyone out.
Being able to administer customers is probably the most common use case for staff using the store as really this is the reason why we usually need staff in the first place! Our staff need to apply a discount role to a customer based on their association with us, and *administering* this is essentially mixed in with *administering* staff security roles under the current design.
As a short-run solution it might be useful to:
1) Prevent anyone who does not have a particular action permission the ability to add customers to roles that DO have this action permission (i.e. you can only promote up to your own permission level)
2) Only roles with the 'Manage ACL' permission can change the 'Is Administrator' status of a customer or delete a customer who is an Administrator OR (alternatively) delete a customer whom has the 'Manage ACL' permission.
However, this is a halfway fix and I think a better overall approach is needed. A simple change would separate security roles from other types of roles, but a clearer user/group/permission design overall would help - possibly using a standards based, perhaps token design using something like SAML2.0, to develop an interoperable, federated and secure trust based approach to this. This would also allow the nop security model to federate easily with trusted external sites and services - some of which I see are now included with v1.5.
MVP
Bronze Solution Partner
- 2898
- 23165
- 1/8/2010
- United States
I have a question regarding this ACL feature which is introduced in the 1.5 version
This Access control list (ACL) is only for the admin section ? what if somebody wants to create public page but would like to give access to few users only ?
I guess this ACL should include feature in which admin can give access for public pages too.
This Access control list (ACL) is only for the admin section ? what if somebody wants to create public page but would like to give access to few users only ?
I guess this ACL should include feature in which admin can give access for public pages too.
- 89
- 445
- 3/30/2010
- Argentina
abcd_12345 wrote:
i would also like to know this.
thanks
I have a question regarding this ACL feature which is introduced in the 1.5 version
This Access control list (ACL) is only for the admin section ? what if somebody wants to create public page but would like to give access to few users only ?
I guess this ACL should include feature in which admin can give access for public pages too.
This Access control list (ACL) is only for the admin section ? what if somebody wants to create public page but would like to give access to few users only ?
I guess this ACL should include feature in which admin can give access for public pages too.
i would also like to know this.
thanks
- 13
- 315
- 6/25/2010
- United States
Hey, I too had the same problem with granting access to Staff etc with limited permissions. I could not get the Admin page to be available for them. There are 3 settings that are necessary. Make sure you save on each page.
1. Create a role or use one of the existing in Customer/Customer Roles.
Activate the Role.
2. In Configuration/Access Control List (ACL).
Enable the ACL (top left).
If it is an existing Role, modify as necessary.
If it is a new Role, assign permissions.
3. Create the new "customer" that you want to give access to the admin area in Customer/Manage Customers.
At the bottom of the Create page there are 2 check boxes:
Is administrator
Is forum moderator
"Is Administrator" must be checked to gain access to the Administration area.
3. Activate the Customer by checking the check box at the bottom of the same page.
4. Select the Customer Roles tab on the same page. Assign and Activate the role.
Log out and then log in as your new customer, you should see the Administration link in the upper right hand corner of the page.
1. Create a role or use one of the existing in Customer/Customer Roles.
Activate the Role.
2. In Configuration/Access Control List (ACL).
Enable the ACL (top left).
If it is an existing Role, modify as necessary.
If it is a new Role, assign permissions.
3. Create the new "customer" that you want to give access to the admin area in Customer/Manage Customers.
At the bottom of the Create page there are 2 check boxes:
Is administrator
Is forum moderator
"Is Administrator" must be checked to gain access to the Administration area.
3. Activate the Customer by checking the check box at the bottom of the same page.
4. Select the Customer Roles tab on the same page. Assign and Activate the role.
Log out and then log in as your new customer, you should see the Administration link in the upper right hand corner of the page.
- 6
- 50
- 7/17/2009
- United States
This post seems to be getting off topic. rupreck has a very legitimate concern here that I just discovered as well. That is how I found this post. A lower level staff member with access to manage customers can completely lock out any and all Global administrators and then self promote themselves to Global administrator.
For a temporary fix, is it possible to only allow access to the "Customer Roles" tab in Customer Details (administration/CustomerDetails.aspx) for administrators with the "Manage Customer Roles" privilege checked in the Access Control List? Or, more realistically, remove this tab for administrators without this privilege.
For a temporary fix, is it possible to only allow access to the "Customer Roles" tab in Customer Details (administration/CustomerDetails.aspx) for administrators with the "Manage Customer Roles" privilege checked in the Access Control List? Or, more realistically, remove this tab for administrators without this privilege.
- 1
- 2