jazz icon indicating copy to clipboard operation
jazz copied to clipboard
verified publisher icon gardencmp

Feature: add a new super-admin role with the authority of revoking access to admin members

Open gdorsi opened this issue 11 months ago • 4 comments

Background

Currently, the role management system in Jazz has limitations around admin permissions where admins cannot be downgraded except by themselves. This creates potential issues for organization management and differs from common patterns seen in platforms like GitHub. A new "Owner" role is proposed to provide additional control while maintaining security.

Requirements

New Role Definition

  • Create a new "Owner" role that sits above Admin in the permission hierarchy
  • Owner should have all Admin permissions plus:
    • Ability to downgrade/remove Admin users
    • Ability to manage all member roles regardless of their current role level
  • The system will not enforce owner succession rules (when an owner leaves) - this will be left to individual applications to implement

Additional Context

This change aims to provide better control for organization management while maintaining the secure-by-default approach of Jazz. The goal is to allow members to be given invitation powers (Admin role) without risking unauthorized removal of original owners or other members.

gdorsi avatar Jan 22 '25 09:01 gdorsi

From anselm feedback:

Can we name it something else to distinguish it from the CoValue "owner" concept?

gdorsi avatar Jan 23 '25 10:01 gdorsi

This would be great, perhaps call it creator?

raymonddaikon avatar May 18 '25 03:05 raymonddaikon

This would be great, perhaps call it creator?

Yeah, maybe it's a better way of naming it.

gdorsi avatar Jul 04 '25 14:07 gdorsi

from some other discussion (rephrased):

i think we need a super-admin role in jazz that is allowed to remove other admins from groups - or maybe a "writer with invite permissions". To implement account rotation for worker groups, where workers should be able to invite other members, they currently need to be admin. however this makes it impossible to remove those worker accounts from either a "god" account or other worker accounts because admin cannot kick/demote other admins. So for this use case we would either need a role that is a writer + invite permission, so that a worker can add other accounts to a group - most likely up to this new "writer+invite" role, and at the same time be removed by regular admins, or have "super-admins" as per the issue description. This is important because at this time, if one creates admin worker accounts, once one of them is compromised (ie. by leaking its secret) there's no way to remove it.

Elfo404 avatar Jul 04 '25 14:07 Elfo404

Introduced the new role manager to achieve this: #3050

Takeno avatar Nov 26 '25 13:11 Takeno