Feature #13326

Security against Administrators

Added by Jonathan Chen over 9 years ago. Updated over 9 years ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Security
Target version:-
Resolution:

Description

We are wanting to add security against certain system administrators for example:

User Administrator will be able to administer to User accounts such as user creation, etc.

Project Administrator will only be able to manage and administer to projects.

The reasoning is that we have some confidential projects that we would like to have system administrators to not have access to it.

History

#1 Updated by Pavel Lautsevich over 9 years ago

+1

#2 Updated by Jan Niggemann (redmine.org team member) over 9 years ago

  • Status changed from New to Needs feedback

The administrator of the underlying OS will most likely have access to the raw data in the database. How would you deal with that?

#3 Updated by Jonathan Chen over 9 years ago

One person will always have access to the whole thing or at least to parts of it no matter what you do. Even if I do system wide encryption there would be at least one person having access to it. I do not have any issues with that one person since its me. But in my organization we have about 200+ users in the system, and it would be nice for me to delegate some of the task of user maintenance, project maintenance, etc. to others without having to give full access to everything.

But to answer your question to how we protect against the OS admin would be to use some sort of auditing procedures. Redmine doesn't really have any auditing features, but I would do auditing on the DB level to audit who looks into the database.

#4 Updated by Jan Niggemann (redmine.org team member) over 9 years ago

  • Status changed from Needs feedback to New

Also available in: Atom PDF