[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

How to prevent adding admin-role?


I am trying to create 'domain admin' role which has permissions to create projects and users, and manage user roles in projects within own domain. I have pretty ok working set of policies done, but there is one critical security hole: domain admin can add 'admin' role to user, and after it user has superuser privileges. Is there any possibility to limit domain admin rights to give only _member_ roles?

I am working in Queens-based Redhat OSP13.

Tavasti, Openstack admin

For Internal Use Only
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190828/d168dd75/attachment-0001.html>