2

I am currently developing a web application (in Ruby on Rails) for my university's department. The web application's user base have several roles: director (the director and assistant director of the laboratory for the department), lab assistant (students who work in the laboratory ), faculty and student. The roles divide up succinctly what one can do in the web app - access to resources, ability to create/edit but not delete, sending emails, etc.

Currently I have a director-level account that only I know the credentials for. However, it just so happens that recently I needed full access to the system to edit a particular resource which even director didn't have full access to. I'll note here that there are some resources that faculty users create that even director can't modify, which just-so-happened to be the thing that needed to be modified.

So, I SSH'd into the server, ran rails c to get into the database, and manually changed the resource there. Needless to say, that was a time-consuming process that could have been much faster had I simply access to update the fields via the existing web form.

I could very easily create an admin role to ensure that I always have full access to the system if need be. However, I graduate in a year. Though I'll be maintaining the project for years to come, it's not impossible that someone else takes over.

Currently, no user has full admin rights in the system; I have full access by SSH'ing into the server and accessing the database directly, but this isn't ideal in terms of data management as it's a cumbersome method. Thus, a full-access admin account would be very useful. However, our use case only requires that an admin edit data in extreme circumstances. Most of the time, roles such as faculty create resources that even director (more or less a pseudo-admin) shouldn't modify.

Should every software system have a full-access admin user? Or, is there some more appropriate solution that I am overlooking?

Improve this question
9
  • Ask them. My guess is they'll say no, but you could point out to them that they might need you for administrative purposes. Commented Jul 20, 2016 at 16:03
  • @RobertHarvey Actually, they'd both likely be fine with me having such access, given previous circumstances and their trust in me. I'm just wondering if it really makes sense to do so, or if there's a better way to manage the problem :) Commented Jul 20, 2016 at 16:04
  • If you're asking if there's a way to do things that require admin privileges without having admin privileges, I'd say there probably isn't. Commented Jul 20, 2016 at 16:05
  • @RobertHarvey Well, there's always the direct server SSH-into-database method. Its cumbersome, but it works. Personally I'd rather have a role for my account that can access everything through the pretty interface of the web app; but, are there concerns that need to be dealt with? Potential threats to creating that role? These are the things I'm trying to think about. Access to the server is much more secure with a 4096-bit RSA key; the web app might have a bit less on that front... Commented Jul 20, 2016 at 16:08
  • So... nobody currently has super/admin privileges? Commented Jul 20, 2016 at 16:09

1 Answer 1

Reset to default
4

In most applications there's a need for admin access with permission to see and/or tweak everything.

In your case, you're talking about changing the structure of the application via data - eg editing fields or system settings - but not changing data. This is perfectly suited for an admin user and you really shouldn't even worry about this level of access.

Where things get more grey is with user data, ie the stuff that's been entered and could be linked to someone and thus blame assigned in certain circumstances. There are 3 ways to deal with this level of editing access when you're not the user who owns the data:

  • say 'who cares, its all mine and I'll do whatever I like'. This is not good and should always be avoided or actively prohibited.
  • Allow editing of any data, but create an un-deletable audit entry saying what changed and who did it.
  • Only allow the data's owner to change it, but give the admin the ability to take ownership.

The latter 2 are good because they let the admin change things where necessary, but make sure everyone knows this has happened. I know, you can often go into the DB directly and update entries in SQL, but that should be locked down too, so only trusted people have access. (note: this is a different level of access to an admin of the front-end app, but if you really wanted to be paranoid over data security, you'd encrypt it and ensure only the user who owns the key has access... it starts getting really complex then).

So TL/DR; it seems you have various levels of user access, adding an admin role that has access to all these levels is quite normal.

Improve this answer
1
  • Thanks for your answer! I'll leave the question un-accepted for a moment to see if anyone else comes up with a different approach/perspective. Particularly, I agree with your second method. In fact, our department has a history of not having an audit history, so having that alone would be useful. With such a system in place, I think the full-access admin approach is the right one. Fortunately, there are really good audit libraries for Rails which makes my job a lot easier! Commented Jul 20, 2016 at 16:35

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.