Bug #2247
closed
Misleading security permission
0%
Description
In checking bug 2245 I noticed a definition used in security groups is misleading.
The "admins" group is defined (when viewing "groups" tab) as having the single permission "WebCfg - All pages". But a user given "WebCfg - All pages" access actually has access to much more - console, shell, VPN, etc. This isn't made clear and should be, because there may well be users one wants to give "Webcfg all pages" access but not shell access, and from security perspectives it's crucial the permissions assigned are clear when the summary user/group tables are viewed.
"WebCfg all pages" permission should mean just that, full access to Webcfg (exactly), not Webcfg and (unstated) much more. Either a new permission "Full access" should be added and "admin" assigned this instead so it's clear, or "admins" should be assigned all webcfg and also VPN, shell, etc.
But either way ACL groups should not show "webcfg all pages" as a permission, and then use it to mean permissions such as full shell/console/ssh access that aren't Webcfg at all. Fix one way or the other.
Updated by 
Updated by 
Updated by 
Updated by Kill Bill