Cannot delete a user with admin role :although it is not the last user

Question

I have created two users namely xyz@pqr.com and abc@rew.com with roles of admin . I tried to delete the one user ,but it does not allow it to delete it . The application shows the following error : "SEC-LASTADMIN: (err:FOER0000) Cannot delete last admin user : xyz@pqr.com (Though the user is not the last one)" .

I also found that when we change the following code in security.xqy module in Marklogic ( line no 1300) then it works perfectly fine
Before = if (fn:count($admin-users) eq 1) After = if (fn:count($admin-users) eq 1 and $admin-users[0]/sec:user-id eq $user/sec:user-id)

I am using Marklogic 8.0-3 .

Is this a Security.xqy module bug ? If no is there any other way to solve this

Answer 1

It is a requirement of the product that some user must directly have the admin role. In other words this is not a "known issue", but rather a case of "works as designed".

It doesn't seem like a big issue in a production system to ensure that some user directly has the admin role, and it sounds like in your case it's just that you weren't clear on the requirement and were asking. We have no plans to change this requirement at this time, since there doesn't seem to be any compelling reason to make that change.

Answer 2

This is a known issue. The issue is that your user inherits admin role, rather than having it directly. The security library however counts admins by looking at users that have admin role directly. The work-around for this issue is to make sure the user doesn't inherit admin role, but has it directly, or doesn't have it at all.

I'd recommend not giving the user the admin role. Apply as little privileges as possible, and if necessary use Amps to allow a user to do things beyond its privileges.

HTH!