Admin user that cannot change root password

[coffeelover]

Hi all, I'm a new opnsense user so, please, don't blame me too much if this is a silly question! I would like to have an admin user with limited powers, in the sense that it should not be able to add users or change passwords of other users. I tried to create the user removing the privileges "GUI System: User Manager" and "GUI System: User Manager: Add Privileges", but it seems to me that it keeps the right to change root's password.
Is there something I am missing? Many thanks for your support

[franco]

Hi there,

It should be as straight-forward as you described. Where exactly do you mean the admin can override the root password? Page URL and/or steps to reproduce.


Cheers,
Franco

[coffeelover]

Hi Franco and thanks for you interest: what I do is simply to create a new user and select for it all the privileges BUT the two I just mentioned. Then, the user can simply go into the System:Access:Users and do whatever she wants (e.g. change root password and privileges).

[franco]

Ok, well, access to user accounts management inherently makes those users capable of creating admins and naturally also changing the passwords of other admins. There is no strict hierarchy at play here that "forbids" this and in most work life admin situations you will have to trust your admins with the access you give them.


Cheers,
Franco

[coffeelover]

Hi Franco, thanks for your answer. I see your point, however there is still another issue: I gave another try with the privileges and removed the "GUI:All pages". Now the user cannot access the System:Access:User page (as expected) but also the Lobby:Password page is removed from the menu. Is this the intended behavior? In this way the user, simply, cannot change her OWN password!

[franco]

There are use cases that require this, for everyone else just add:

System: User Password Manager


Cheers,
Franco

[coffeelover]

Dear Franco: you are the best. Thanks SO much.

Best