Prevents other admin to lock or delete default admin

roydan · 14 Jan 2021, 16:01

Hi so I can create multiple admin for a single tenant using fusionauth. Other admin only can manage users.
But the problem is, they can lock the default admin (the first admin account on the fusionauth), and I want to prevent that. So I just kinda want to build a "super admin" and "admin" roles. The super admin can delete or manage other admin accounts, but the admin can't delete or manage super admin account.
How to achieve that?

dan · 15 Jan 2021, 21:34

There's no way to create such a super admin account that can't be modified in FusionAuth.

Options I can think of to achieve something similar:

make sure you have database backups (a good idea anyway) and recover from your last backup if an admin deletes/locks the primary admin account. Or just investigate the FusionAuth database such that you can flip the bit in there if anyone ever locks the primary admin account.
create a second tenant and create a tenant scoped API key. Then build whatever user management tooling you need using that API key. The super user will remain untouched and inaccessible in the default tenant.
limit people to the roles that they need and never provide anyone with the user_deleter or user_manager role. The user_support_manager role may be helpful to you: https://fusionauth.io/docs/v1/tech/core-concepts/roles/

Only the last one allows users other than the superadmin to access the FusionAuth admin UI.

Feel free to file a feature request explaining your desired functionality in more detail if you'd like.