"Super Administrator" accounts should not be editable by anyone with access to the "User List".

  • 5
  • 13
  • Idea
  • Updated 3 years ago
  • Implemented
Currently, we have two types of "Admin" users in our organization. There are "Helpdesk" users, who's role includes troubleshooting user issues, creating / disabling accounts, and other common tasks. We also have two users with the "Super Admin" role, who manage the system by assigning roles, creating templates, purchasing / deleting phone numbers, etc.

Today, I found out that any Admin user that has the "User List" permission can modify the credentials of a "Super Admin" account. This is something that I consider a vulnerability. No user in any application should be able to, by any method, elevate their own permissions. Currently, our Helpdesk staff, who have the "User List" role, can elevate their permissions by changing a Super Admin's password and signing into their account.

I called RingCentral Support to make sure I wasn't missing something, and they confirmed that this is functioning as intended. They also discussed my concerns with Tier 2 support, and the recommendation I received from them was to remove the "User List" permission from my Helpdesk staff, which would admittedly solve my issue, but would also cripple our Helpdesk's ability to...help users. And I can't put the onus of supporting our 1,000 accounts on TWO Super Administrators.

I also received the suggestion that my helpdesk should have users send their passwords in their help tickets so that the helpdesk agent could sign into the individual users account directly and troubleshoot the issue that way.

I hope it's clear that this suggestion is in no way acceptable. A good IT organization will never need a user's credentials. Taking a users credentials removes any accountability from the IT staff. When an admin makes a change to an account, it should be logged as an "Administrative Action", and while RingCentral doesn't currently log administrative actions (which is an entirely separate issue), I'm not going to start teaching my userbase that sending their credentials to IT is an "okay" thing to do. It's not, under any circumstances, an acceptable practice.

The obvious solution to this issue is that accounts with the Super Administrator role should not be able to be modified by any user that does not also have the Super Administrator role. If you take a look at the way Google implements the Super Administrator role in it's business service offerings, that is exactly what they have done. 

"At least one user in your account needs to be a super administrator, but we recommend having at least two. That way, if one of you forgets your password the other can reset it for you. Having more than three super administrators, however, limits all your administrators' options for password recovery...."  -Google
https://support.google.com/a/answer/2405986

I could keep going about this for ages, but I think I've made my point. This oversight is a vulnerability in RingCentral that should not be overlooked.
Photo of Karim

Karim, Champion

  • 908 Points 500 badge 2x thumb
  • super confused by the existence of this issue.

Posted 3 years ago

  • 5
  • 13
Photo of Mike

Mike, Official Rep

  • 94,790 Points 50k badge 2x thumb
Thanks for posting your concerns everyone. We have already forwarded these comments to our Product Team. 

Mike
Photo of Karim

Karim, Champion

  • 908 Points 500 badge 2x thumb
Great.
Photo of Cecile Glassy

Cecile Glassy, Champion

  • 22,220 Points 20k badge 2x thumb
Thanks Mike - this is generating some super unhappy fur flying here - so the sooner the better that they change that access issue. 
Photo of Eric

Eric

  • 512 Points 500 badge 2x thumb
Mike, if this helps, let your folks know: As you desire to grow the business into larger customers with 1000+ phones and beyond, your customers will be doing a lot of the 1st level support before RC will ever get the call. Thus, setting up Admin users to do repetitive tasks vs. configuration items performed by Super Users is important.  As RC considers the $$ factor in fixing this, your users offload that 1st level of support work so YOUR call center does not have to do it ($ saved by RC).  It's a win both ways, but RC can't just blow this one off.
Photo of Cecile Glassy

Cecile Glassy, Champion

  • 22,220 Points 20k badge 2x thumb
So making sure I understand how to protect our security, the only option I have for the foreseeable future is to re-assign every Admin to prevent their access to change password on SuperAdmin.  Then move all 2060 of our users to a "group" and make the former Admins re-assigned as Managers of that group?   At a time when we are onboarding a huge volume of new users for August 1st, this is not an acceptable solution for use of my time. 
Photo of Elliot Beaudoin

Elliot Beaudoin, Alum

  • 944 Points 500 badge 2x thumb
Hello,

I have an update on this item. I am flipping the status to planned on this one. 
In one of our upcoming product patches, in order to secure Super Admins from non-Super Admins we will:

  1. Only allow users with Super Admin roles the ability to edit other users with Super Admin roles. No changes at all should be possible. This also applies to templates and bulk actions.
  2. We will allow non-Super Admins to view Super Admins in the User List if they have permission, but On Save, we will give the a user an error message saying that they can't edit that user because they don't have the Super Admin role. The ability for non-Super Admins to see Super Admins in the User List is something we are considering changing in our long term approach to this problem. 
  3. We will prevent a non-Super Admin user from assigning the Super Admin role to any user.
Thanks for your patience on this, and I hope this helps in your day to day duties. 

Have a good weekend. 

- Elliot
Photo of Elliot Beaudoin

Elliot Beaudoin, Alum

  • 944 Points 500 badge 2x thumb
Hello everyone here, 

Just a quick update. Most of you have already seen this, but in a few of the recent updates we've closed this security concern regarding Super Admins. 

- In the first update to 9.2 we gave the non-Super Admin a notification that their changes would not be saved because they did not have access to update another Super Admin
- In the most recent update to 9.2, we removed the Save buttons for non-Super Admins when they are viewing Super Admin users

I am switching this post to Implemented.

I hope to see everyone in a few weeks at ConnectCentral!

- Elliot
Photo of Karim

Karim, Champion

  • 908 Points 500 badge 2x thumb
Music to my ears sir, thank you and the team. :)