I’ve created 2 new global roles on my tenant, one to be a tenant specific “Admin” role, and the other to be a “General User” role. The “General User” role has access to only 1 application, and has read-only permissions for some of the permission types. The “Admin” role gets more access and more admin permissions. But when creating a user with only the “General User” role, the user is still able to provide him/herself with admin roles (even the default Cumulocity admin role), or even create other users and provide them any available role. Is there a way to categorize/level global roles, so that low-level roles (like “General User”) not able to view or provide higher level roles, while keeping the possibility the other way around?
I’ve just created myself a User with a single Global Role containing read-only permissions only - this User isn’t able to create other users or assign other global roles. Are you sure there is no additional Role assigned to this user?
Can you do a GET request against /user/currentUser with your General-User and provide the content of the effectiveRoles fragment? This lists all your users permission, your description sounds like there is ROLE_USER_MANAGEMENT_ADMIN in between.
My bad! Seems like I had one of the user management permissions turned on by mistake, which isn’t now and the “General User” role works now as expected. But still the tenant specific “Admin” role is able to provide him/herself or create users with Cumulocity’s default Admin role. Is there a way we could say that this “Tenant Admin” could create/provide “General User” role but can’t create provide cumulocity’s default “Admin” role?
The solution here is to subscribe the “feature-user-hierarchy” application and assign the new “Tenant Admin” a global role with permission:" User Management: CREATE" only. With this, the new tenant admin can create new user as his own sub-users and manage them without prividing them the cumulocity’s default “Admin” role.