Admin user removes Super User.

[ByDcc]

   Hi all,
   I would like to avoid that any admin user be able to remove my super user in the shop.

   In this scenario:

* First user with role Super User
* Second user with roles:
   - Catalog Maintenance
   - Customer Maintenance
   - Order Maintenance
* Both of them are admin user.

The second user is able to remove the Super User and I lose the control over the shop.

   Did I do someting worng?, Can I avoid this behavior using configuration? or should I fix it in some java class?

   Thanks in advance.

[heidi]

Hi,

You can configure the users' role assignnments to achieve that...   In the Admin App, under Customers, go into the Maintain Roles and Assign Roles options to set them as you wish.


Not sure which version you're using but I think that at one point the default setup was a little "loose" in that it allowed Catalog and Order users to have more power than they should have had.

--Heidi

[ByDcc]

   Hi Heidi,
   thank you for your reply.

   I give you all the datas:

1) I did a manual instalation of Konakart.
2) My version of Konakart is 2.2.6.0

   I used Maintain Roles and Assign Roles as you said but I have the behavior described in my first post.

   I am Super User in the application. And my client has Catalog Maintenance, Customer Maintenance and Order Maintenance roles.

   I've reviewed these roles and I don't see anything like "Able to remove Super User users"

   I give the list for each one:

Customer Maintenance

• Change Password


• Customer Communications


• Customer Groups


• Customer Orders


• Customers


• Edit Customer


• Inser Customer

   I think the problem is here, in the role Customer Maintenance. It should have something like "Remove User" or "Remove Super User users".
   I tried to remove Customers option but the owner wasn't able to manage customers so I added this option again.

   The other roles:

Catalog Maintenance

• Categories


• Change Password


• Coupons


• Coupons For Promotions


• Edit Product


• Maintain Tag Groups


• Maintain Tags


• Manufactures


• Product Options


• Products


• Products for Categories


• Products for Manufacturer


• Promotion Rules


• Promotions

Order Maintenance

• Change Password


• Customer For Order


• Edit Order


• Orders


• Payment Gateway Callbacks


• Payment Status For Order


• Product Returns


• Product Returns For Order

   Am I missing something?, more suggestions?
   Thank you in advace.

[heidi]

There is no specific option to assign/revoke a privilege to delete a super user.

The closest is probably to configure it so that the Customer Maintenance role cannot delete customers.

[ByDcc]

   Hi again,
   but the option "delete customers" doesn't exist. In my case Customer Maintenance has insert user and edit user.

   And I can't see the java code source for admin konakart in which I could fix the problem so I don't know what I can do.

   Any suggestion to fix this problem?. Maybe loading some data in some database table. Adding a new permission for the role Customer Maintenance in database.

   Thank you in advance.

[heidi]

Go to Maintain Roles in the Admin App.

Select your Role.. eg, Customer Maintenance, then click on "Privileges".

On the panel you see you can set Insert, Edit Delete privileges for each panel of the Admin App...  plus a few special ones (which appear shaded) assigned to custom fields.

Therefore you can remove the delete customer privilege for a role by unchecking the delete box on the "Customers" panel.



You can always check the Help page in the Admin App... In this case it has plenty of help:


This window allows you to create new roles, edit and delete existing roles and to associate roles to panels and API Calls.

All existing roles are displayed in the list on the left hand side of the window. When you select a role, the panels associated with that role are displayed in the Assigned Panels list and the available panels are displayed in the Available Panels list. You can add panels to the role by selecting them in the Available Panels list and then clicking the Add button. You can remove panels from the role by selecting them in the Assigned Panels list and then clicking the Remove button button. Note that multiple selects are allowed. You must click the Save button in order to save any modifications. Once modifications have been saved you may click the Privileges button in order to set the user privileges for each panel. The available privileges are edit / insert / delete or a combination of these. If none of these privileges are selected, then the user will have read only access. You may notice that there are some other check boxes labelled Cust1, Cust2 and Cust3. These may be used by a panel to configure access to features such as pop-up windows for that panel. If they are being used, they will be in green and float-over text will explain what they are being used for.

A new role may be entered by clicking the New button and then by filling the required fields in the popup window. Existing roles may be edited or deleted by selecting them and then clicking the Edit or Delete buttons. Each role has a name and description, which are compulsory fields. There are five custom fields and a SuperUser check box. When SuperUser is set, the role allows an administrator to administer a store even when it has been deleted or is disabled.

KonaKart can be configured for API Call security in the Security and Auditing section of the Configuration menu. This provides an extra level of security by defining the API Calls that can be accessed by any particular role. When enabled, a Show API Calls button will appear, that allows you to switch between panel and API Calls. The configuration of API Calls works in a similar fashion to the panel based security explained above. You can add API Calls to the role by selecting them in the Available API Calls list and then clicking the Add button. You can remove API Calls from the role by selecting them in the Assigned API Calls list and then clicking the Remove button button. Note that multiple selects are allowed. You must click the Save button in order to save any modifications.