Still testing password vault and I noticed that when I create a second administrator (e.g: admin2) and when I create a security group admin1_private I cannot revoke the viewing,adding, editing nor deleting rights from admin2 on this security group.
In the Security Group Rights window you can per user add or remove certain rights. When I however deselect the rights on admin2 and click save, the rights are not revoked. The popup window just disappears without a warning. When opening the security group rights window again it is clear that permissions are not limited.
This is really a shortcoming for us since we don't think an administrator should have viewing rights (or other rights) on every entry. An administrator should be user that can administrate users, security groups and roles. As long as auditing is done it isn't even a problem that an administrator can change its own rights, because at least you would have an audit trail and know if an admin is doing things he isn't supposed to do.
That is indeed how our system is designed at this time. The Administrator privilege is more akin to a sysadmin that inherently has all rights.
This topic would be better served by being posted in the Feature request forum, as what you are describing is a basic feature of the system.
Ok, thanks for your reply. I thought it would be like this but I still consider it sub-optimal :-).
But in anycase I consider it a bug that in the GUI you can deselect the checkboxes for the permission and click save.
I would expect one of the following behaviors:
1) It is impossible to disable the checkboxes (they are greyed out) (for me the most logical one)
2) You get a warning message when saving that the administrator will still have the rights.
Because now the window dissappears and since I didn't get a warning I supposed everything was OK, untill I checked with the other admin account and noticed it wasn't. Then when I looked back I saw that the boxes where checked again. So he doesn't complain but in fact doesn't change anything under the hood either which is very confusing.
But now that I know I'll keep it in mind.
good point, I'll open a bug for that.