Prevents other admin to lock or delete default admin
-
Hi so I can create multiple admin for a single tenant using fusionauth. Other admin only can manage users.
But the problem is, they can lock the default admin (the first admin account on the fusionauth), and I want to prevent that. So I just kinda want to build a "super admin" and "admin" roles. The super admin can delete or manage other admin accounts, but the admin can't delete or manage super admin account.
How to achieve that? -
There's no way to create such a super admin account that can't be modified in FusionAuth.
Options I can think of to achieve something similar:
- make sure you have database backups (a good idea anyway) and recover from your last backup if an admin deletes/locks the primary admin account. Or just investigate the FusionAuth database such that you can flip the bit in there if anyone ever locks the primary admin account.
- create a second tenant and create a tenant scoped API key. Then build whatever user management tooling you need using that API key. The super user will remain untouched and inaccessible in the default tenant.
- limit people to the roles that they need and never provide anyone with the
user_deleteroruser_managerrole. Theuser_support_managerrole may be helpful to you: https://fusionauth.io/docs/v1/tech/core-concepts/roles/
Only the last one allows users other than the superadmin to access the FusionAuth admin UI.
Feel free to file a feature request explaining your desired functionality in more detail if you'd like.
