Give administrators FULL permissions!
Summary
Users with Administrator permissions can't do everything.
Description
1. It appears that there can only be two users in the Administrators group - the admin user and one other. This is insufficient. We don't allow our people to use generic logins like “admin” (because we don't know who they are when they're logged in) and that only leaves one other person with Administrator rights. What if a business needs two or three or four? There can be no sensible reason for limiting this to two. It's too inflexible and I've never heard of any other software product that has such limiting restrictions. You need to let the customer manage their software the way they want to, not the way your development team set it up. It's not your decision.
2. A user in the Administrators group can't do everything. The local admin account can't edit, disable or delete the other user in the same group. We now have a situation where that one other person has changed responsibilities and we wish to give the role to another. It seems that we have to rely on that first person to go through the Change Owner process. What if that user has left the organisation? What if that user is uncooperative? We can't even change his e-mail address and go through a "forgot password" operation. We are totally at his mercy because only he can change the owner. This is totally unsatisfactory. We want to grant someone else the Administrators group now, *today*. How?
3. A Change Owner process DELETES the previous owner! What if he's just changed roles and shouldn't be deleted? Yes I know he can be re-created but this shouldn't be necessary. Like any software product that manages permissions, someone in the Administrators group (and especially user “admin”) should be able to add and remove permissions (grant or revoke group membership) to as many people as he likes, whenever he likes, to suit the business needs, not be locked into strange rules about limiting number of administrators, change owner, and deleting accounts.
4. You should never ever block user “admin” from doing anything for reason of lack of permissions. There might be other reasons why a user shouldn't be permitted to perform a function and that's fine, but never because of permissions. User “admin” should be able to do anything.
Business impact of the limitation or the missing feature
We can't manage the software the way we want to because of your restrictions. We want to be able to have the flexibility to add any number of users to the Administrators group, modify any user at any time, and not have it delete previous owners. In fact the whole concept of an “owner” doesn't really seem necessary. You should get rid of it but if you want to keep it, fine, but let anyone in the Administrators group change the “owner”.
We know there is history here and a recent change added the Power Users group but the history history is irrelevant - we still can't do what we want.
Please remove the annoying restrictions that are preventing us from managing the software the way we need to.
Miscellaneous
Please help us move membership of the Administrators group from one user to another, preferably without involving the first user, today.
-
Hello!
Thank you for your feedback.
We're launching our Enterprise tier with Organizations support, which allows unlimited System administrators number to be added at the Organization level.
You can find more information here: https://youtu.be/uwLI0TylsIA?t=14 and https://www.networkoptix.com/blog/2024/10/08/introducing-gen-6-enterprise#organization-layer.
We're preparing additional materials on this topic, so stay tuned!
0 -
Wow, excellent! Thanks for that. Will these new administrators be able to change the “owner” without the cooperation of that person (which may not always be forthcoming) or are you getting rid of the concept of an owner? Will they also be able to edit/modify other administrators?
0 -
Hi!
All administrators have similar permissions, but we currently don't have a mechanism to change an owner. If the owner isn't cooperating, other admins can still perform all the same functions this person could do.
We're continuing to improve the user management aspects of our system and are considering how to address this specific issue. Unfortunately, I can't provide a timeline for this improvement yet.
0 -
Thanks for explaining Nikita.
> other admins can still perform all the same functions this person could do
While this may be the case, I'd like to point out that if a business has an uncooperative “owner” or an owner they cannot contact, they are stuck with a person who has full administrator permissions to their system and there's nothing they can do about it. They can't disable the owner, they can't delete him, they can't reset his password and log in as him, they can't even change his e-mail address then click “Forgot password”. This is a *major security weakness*. The whole security of the system revolves around one person and no-one else can do anything about it. You don't need the concept of an owner. For future consideration, you could remove the whole idea of an owner and just have administrators, as many as the customer wants. Or in the short term, and this would be much easier to implement, just allow any administrator to change the owner AND allow any administrator to edit and delete any other administrator. Problem solved!
Please consider.
0 -
Well, in the Enterprise tier, there are multiple administrators, as Nikita mentioned, and they can “delete” each other from the Organization. Therefore, if someone is unavailable, this is not a problem in Enterprise. Though a non-cooperative administrator can just delete all others, that's always a problem, and there is no solution against a misbehaving user with full administrator rights.
0 -
Thanks for your response Tagir. Misbehaving administrators is not really a problem. Every software product has that issue. Having an “owner” that has left the organisation and can't be contacted (or won't co-operate, especially if that person has been fired) - that's the problem!
You say that the new features are coming in the Enterprise tier. Can you tell me how I find out what tier we're on? Can I look in the settings somewhere? Our site has a single NX server and just 15 cameras. I'd be surprised if we're on the enterprise tier, so if we're not, the changes won't help us.
0 -
What is the solution for the customers that don't want to use this new enterprise product subscription and stay on the perpetual license model ??
We must have the option for multiple admins both locally and cloud !!
This is the most annoying not-a-feature as there are normally multiple stakeholders that are required to make admin changes to a system from the installer to end user and in between.
0
Please sign in to leave a comment.
Comments
7 comments