CCM 6 Group / Role Security vulnerability!

Unanswered Question
Jul 8th, 2008

In CCM6 if I create an application user, and give them a small subset of rights Such as phone Administration, I have noticed that if that admin has the ability to edit end users they can in turn add end users into Administrative groups! This in effect is a major security vulnerability an administrator with lower rights can create a new end user and give them every role / right to the CCM box (except super user). I have even verified that end user can log into the CCM Admin pages with full rights! What is the point of groups and roles then, am I missing something?

If I do not give phone administrators the ability to edit end user's the phone administrators cannot change an end user's password, or associate phones to their profiles…

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
wyssd Thu, 07/31/2008 - 07:26

I wish I had a solution. I am trying to sort out the same dilemma. There is little point in trying to limit access if they can elevate themselves to virtually unlimited access by having update abilities for user accounts.


This Discussion