/build/static/layout/Breadcrumb_cap_w.png

KBOX Roles & Permissions fundamentally flawed?

Forgive me if this has been discussed already, but I could not find any mention.

So it seems the whole roles and permissions system of the KBOX is fundamentally flawed. If your user role has write permissions to Roles, you can give yourself permissions that you don't already have yourself.

Our goal is to utilize Organizations so that independent teams have full control over their organization. Access to creating custom Ticket Rules under Help Desk > Configuration > Queues > Customize Ticket Rules has the potential to break the KBOX for all Organizations (there's an update query that can be modified by someone who doesn't know what they're doing), so locking Organization administrators out of the Configuration tab of the Help Desk seems like it would be good enough. Not so. You'll also need to lock them out from creating new Roles or they could just assign themselves a role that has permissions to modify Help Desk > Configuration.

As System admins, we don't want to be in the business of creating user accounts each time an Org. admin has a new hire or wants to grant an existing employee permission to use the KBOX. We want each Org to feel like they are using their own KBOX without actually giving them their own KBOX (which is out of the question).

The only alternative I can think of that would work for us is to prevent any Org admins from being able to write to Roles. But that means, as System admins, we'll need to create a reasonable subset of all permutations of possible roles when creating each new Organization. Otherwise we'll have to be in the business of creating new roles whenever an Org admin needs one. All of this would be moot if the KBOX just prevented users with write access to Roles from creating a new role that granted permissions which they didn't have to give in the first place. It seems like a major flaw in the design and seriously weakens the whole permission system in general.

Any thoughts? Workarounds?

0 Comments   [ + ] Show comments

Answers (2)

Posted by: stradric 14 years ago
Senior Yellow Belt
0
Turns out it's not as bad as we thought. We can use Organizational roles to lock out even the Admin users from various elements of the KBOX. However, it doesn't address the issue that any users with Write permission to Roles can grant themselves permissions which they don't have to give.
Posted by: cblake 14 years ago
Red Belt
0
Technically this would be a fundamental flaw with all security systems- if you have admin access you can grant yourself permissions to just about anything. Consider granting somone Domain Admin Rights then asking them not to poke around in the SQL server or Exchange farm- not really the most secure of systems, since one could simply grant themselves DBA rights or Exchange admin permissions, or whatever. I sympathize with the theory, but the root of it is- just be careful when granting rights. At least until someone comes up with a better system :)

I do agree that this could be improved, and I've mentioned it to engineering, but it's never a bad plan to submit change/enhancement requests to [email=support@kace.com]support@kace.com[/email] - that's how we improve. Thanks for pointing this out, it's certainly been noted before, but that shouldn't deter you from "adding your voice" to that change request.
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ