BryanMLima commented on issue #10096: URL: https://github.com/apache/cloudstack/issues/10096#issuecomment-2539131091
Hello, @hiblinux First, I just want to clarify how ACS checks if a given role has permission to create another account. It will check if the caller account has permission (i.e., `allow`) to all APIs in the role used by the target account. Using a diff checker tool, I managed to encounter some inconsistencies, that would fail this verification. The following APIs are denied for the role `Domain Admin L2` and are allowed for the role `DomainAdmin`: - createDiskOffering - createServiceOffering - deleteDiskOffering - deleteServiceOffering - updateDiskOffering - updateServiceOffering - updateConfiguration Even though the type of the role `Domain Admin L2` is `Admin` and the role `Domain Admin` is of type `DomainAdmin`, ACS will fail in the validation of the APIs above; that's why you are receiving the message `can not create an account with access to more privileges they have themself`. Now, about the **why** ACS does not allow this: escalation of privileges. If a user could create an account with more privileges than its own, then this is a security concern. Consider a scenario where a custom Root Admin was created with just read permissions. If ACS allowed this role to create another account with more permissions just because it is of type `Admin`, an attacker could you this to create a Root Admin with all permissions, which is not desired. To tackle your problem specifically, you'll need to normalize the permissions of the APIs mentioned above (and others, if I missed something) for the custom role `Domain Admin L2`. @DaanHoogland, I don't think this is a bug, it is working as expected. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
