Why is the user-administrator allowed to add anybody to the administrators group and how to prevent from this behavior?
The user-administrators (every user member of the user-administrators group) can create users and groups and can manage the groups membership (this means they have Modify and Create permission to all users and groups).
By default the user-administrators have no Write ACL permission, so can't edit the ACL of a resource and therefore are not enabled to modify the permissions granted to the users or groups.
As the user-administrators can add every user and group to any group by default it's possible for the user-administrators to add any user or group (even himself) to a group that is granted additional permissions.
If the user-administrators should not be able to add any user or group to specific groups which are more powerful than the user-adminstrators itself the administrators are in charge of adjusting the permissions accordingly.
The administrators (admin user and every user member of the administrators group) can do this by deny the write access to the node corresponding to the group with more privileges (i.e. administrators group) for everyone except the really allowed (i.e. administrators).
This prevents (in our example) the user-administrators from modifying the members of the administrators group.
Note: This doesn't only apply to the administrators group but may be required for any project specific group that is considered more powerful than the user-administrators.
Example: For the administrators group (the only group with more privilege than the user-administrators in the initial setup)
- Login as administrator (admin user or user member of administrators group) to the CRX system. Switch the workspace to "crx.system".
- Open the CRX browser and go to the administrators group node - /rep:security/rep:principals/rep:groups/administrators
- Select the
administratorsnode and from the top menu, select Security -> ACL Editor.
- Switch to
ACLtab and add a new permission with
principal=user-administratorsand deny the Modify access (set_property). You can also deny all access. With the deny of the Read access the user-administrators can't see the administrators group in the GUI anymore. This prevents from selecting the administrators group for any membership manipulation (which don't work anyway as the Modify access is denied).
- Now login with a test user which is a member of the user-administrators group. You are not able to add any user or group to the administrators group anymore or see the administrators group if you also denied Read access.
An administrator (or any other user which is member of a group which is allowed to Write ACL to any resource) modifying the permissions of groups must be aware that the user-administrators are allowed to add members to this group. Consequently it may be required to restrict the user-administrators permissions to modify the corresponding group members.
This also applies to any other users/groups that are allowed to write group membership.