[cloudstack-documentation] branch 4.16 updated: note on dynamic roles caveat (#260)

[sureshanaparti]

This is an automated email from the ASF dual-hosted git repository.

sureshanaparti pushed a commit to branch 4.16
in repository https://gitbox.apache.org/repos/asf/cloudstack-documentation.git


The following commit(s) were added to refs/heads/4.16 by this push:
     new 4b0d6f6  note on dynamic roles caveat (#260)
4b0d6f6 is described below

commit 4b0d6f6f057b0bbcedd4861b429daeb383985177
Author: dahn <daan.hoogl...@gmail.com>
AuthorDate: Thu Feb 10 07:26:00 2022 +0100

    note on dynamic roles caveat (#260)
    
    * note on dynamic roles caveat
    
    * Apply suggestions from code review
    
    * saveguard implementation note added
    
    Co-authored-by: sureshanaparti 
<12028987+sureshanapa...@users.noreply.github.com>
    
    Co-authored-by: Daan Hoogland <d...@onecht.net>
---
 source/adminguide/accounts.rst | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/source/adminguide/accounts.rst b/source/adminguide/accounts.rst
index a7e699a..093332d 100644
--- a/source/adminguide/accounts.rst
+++ b/source/adminguide/accounts.rst
@@ -135,6 +135,22 @@ allows CloudStack root admins to create new roles with 
customized permissions.
 The allow/deny rules can be configured dynamically during runtime without
 restarting the management server(s).
 
+.. Note:: in versions before 4.16.1, any user given the custom roles
+          that include permission to create and/or update accounts
+          will have the ability to assign new custom roles to
+          themsevles or other users, irrespective of the privileges
+          given in those roles. This could allow such a user to
+          escalate their own privileges to include any API they might
+          not have had before. Therefore, the dynamic roles should be
+          carefully designed and the `createAccount` and
+          `updateAccount` privileges should only be given to users who
+          you are content to have this level of privilege.
+
+          Since 4.16.1 a user will be prevented to create an account
+          with a role that has any permissions that they do not have
+          themselves. This check will also be performed, since that
+          version, on updating an account-role.
+
 For backward compatiblity, all roles resolve to one of the four role types:
 admin, resource admin, domain admin and user. A new role can be created using
 the roles tab in the UI and specifying a name, either a role type or ID of 
existing