GitHub user BryanMLima added a comment to the discussion: Can't create DomainAdmin Account to Domain
Hello, @hiblinux First, I just want to clarify how ACS checks if a given role has permission to create another account. It will check if the caller account has permission (i.e., `allow`) to all APIs in the role used by the target account. Using a diff checker tool, I managed to encounter some inconsistencies, that would fail this verification. The following APIs are denied for the role `Domain Admin L2` and are allowed for the role `DomainAdmin`: - createDiskOffering - createServiceOffering - deleteDiskOffering - deleteServiceOffering - updateDiskOffering - updateServiceOffering - updateConfiguration Even though the type of the role `Domain Admin L2` is `Admin` and the role `Domain Admin` is of type `DomainAdmin`, ACS will fail in the validation of the APIs above; that's why you are receiving the message `can not create an account with access to more privileges they have themself`. Now, about the **why** ACS does not allow this: escalation of privileges. If a user could create an account with more privileges than its own, then this is a security concern. Consider a scenario where a custom Root Admin was created with just read permissions. If ACS allowed this role to create another account with more permissions just because it is of type `Admin`, an attacker could you this to create a Root Admin with all permissions, which is not desired. To tackle your problem specifically, you'll need to normalize the permissions of the APIs mentioned above (and others, if I missed something) for the custom role `Domain Admin L2`. @DaanHoogland, I don't think this is a bug, it is working as expected. GitHub link: https://github.com/apache/cloudstack/discussions/10099#discussioncomment-11545633 ---- This is an automatically sent email for users@cloudstack.apache.org. To unsubscribe, please send an email to: users-unsubscr...@cloudstack.apache.org
