Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
J B
Safeguard - prevent an Administrator from removing their own admin rights
December 17, 2012 1:24 AM
Answer

J B

Rank: New Member

Posts: 5

Join Date: November 30, 2012

Recent Posts

Hi everyone,

Suggestion
How about including a safeguard that prevents a Portal Administrator from removing their own Portal Admin permissions? (Or at least warns them of what they're about to do.)

Background
I did it myself in a moment of tired confusion, and I ended up without any user accounts that could perform Portal administration.
See my post here... Removed all assignments from Liferay - now can't perform admin tasks

Luckily I'm only in the "experimenting / building" phase, so I don't have any sites in the public domain. That would have been horrendous. emoticon
Hitoshi Ozawa
RE: Safeguard - prevent an Administrator from removing their own admin righ
January 2, 2013 7:17 PM
Answer

Hitoshi Ozawa

Rank: Liferay Legend

Posts: 7990

Join Date: March 23, 2010

Recent Posts

Omni Administrator is suppose to be able to always administrator the portal.
James McGovern
RE: Safeguard - prevent an Administrator from removing their own admin righ
February 3, 2013 7:45 AM
Answer

James McGovern

Rank: Junior Member

Posts: 69

Join Date: June 13, 2010

Recent Posts

You cannot take away rights from Omni Administrator. With that being said, it may make sense to have a portal.properties value such as MinAdminCount to place a constraint on the minimum number of administrators that a given organization should have.
Hitoshi Ozawa
RE: Safeguard - prevent an Administrator from removing their own admin righ
February 3, 2013 1:33 PM
Answer

Hitoshi Ozawa

Rank: Liferay Legend

Posts: 7990

Join Date: March 23, 2010

Recent Posts

That'll cause a chicken and egg like situation because initially, no organization admin will exist because there isn't an organization and organization will not initially have minimum number of organizational admin.
J B
RE: Safeguard - prevent an Administrator from removing their own admin righ
February 3, 2013 1:57 PM
Answer

J B

Rank: New Member

Posts: 5

Join Date: November 30, 2012

Recent Posts

Hitoshi Ozawa:
That'll cause a chicken and egg like situation because initially, no organization admin will exist because there isn't an organization and organization will not initially have minimum number of organizational admin.


I did like James' suggestion, but I can see the possible chicken & egg problem.

I do think there's a need to prevent idiots like me from being able to 'bulk unassign' the administrator role from all the existing member users, thus leaving the portal without any admins at all, and therefore no way of doing portal administration from that point on. But I have no idea how to implement this. (If I was smart enough to figure out the answer, I probably wouldn't have had the problem in the first place. emoticon )

I hope I've properly explained what the problem was - I actually explained it better in the other thread... Removed all assignments from Liferay - now can't perform admin tasks.

By the way, if a Liferay staffer wants to know how I got myself out of the hole, I'll happily explain in private. I don't want to post it publicly in case it's something that could be exploited for malicious purposes.

James & Hitoshi, thanks again for your ongoing thinking on this.

JB
Hitoshi Ozawa
RE: Safeguard - prevent an Administrator from removing their own admin righ
February 4, 2013 3:00 PM
Answer

Hitoshi Ozawa

Rank: Liferay Legend

Posts: 7990

Join Date: March 23, 2010

Recent Posts

Liferay has omni admin. By default admin of the initial liferay instance is made into an omni admin but to safeguard,
it's recommended to separate ordinary admin from omni admin. You probably won't had the problem if you created
a regular admin to do normal administrative tasks.

#
# Omniadmin users can administer the portal's core functionality: gc,
# shutdown, etc. Omniadmin users must belong to the default company.
#
# Multiple portal instances might be deployed on one application server, and
# not all of the administrators should have access to this core
# functionality. Input the ids of users who are omniadmin users.
#
# Leave this field blank if users who belong to the right company and have
# the Administrator role are allowed to administer the portal's core
# functionality.
#
omniadmin.users=
James Falkner
RE: Safeguard - prevent an Administrator from removing their own admin righ
February 11, 2013 12:36 PM
Answer

James Falkner

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1218

Join Date: September 17, 2010

Recent Posts

J B:

By the way, if a Liferay staffer wants to know how I got myself out of the hole, I'll happily explain in private. I don't want to post it publicly in case it's something that could be exploited for malicious purposes.

James & Hitoshi, thanks again for your ongoing thinking on this.

JB


Hey JB - sent you a PM about this. I would like to know how you got yourself out of this hole emoticon