[Strapi role hierarchy] Restrict the ability to create new users with the SuperAdmin role for users of a custom role

Restrict the ability to create new users with the SuperAdmin role for users of a custom role

Hi friends, I’m testing strapi Community Edition (STRAPI VERSION v3.6.0)

I logged in with my user superAdmin (MeSuperAdmin).
I have created a new role for the ADMINISTRATION PANEL (I have called it “partner”).
A partner can create new users for the administration panel and new roles; also you should see only the list of roles that he has created plus the one he has (You should not see the role: Super Admin).
I added a new user (user01Partner) to this new role (partner).
I logged in with this new user (user01Partner) and certainly could only create new users and new roles (since the other configuration options are disabled), so far so good.
But when adding a new user in the role combo I could see the role: SuperAdmin, I selected it and finished creating the user, but it’s just what I don’t want.

A user with the partner role should not create superAdmins as it violates security.

What did I do to try to restrict the permissions of the partner role?

  • With the user superAdmin (MeSuperAdmin) I went to
    roles, select partner, edit role, click on the settings tab, then users and roles. Here deactivate I gave check to create and then “define conditions” and I gave [“CAN READ WHEN” is Creator].

I logged out and logged back in with the user (user01Partner) but he could still create new users with the “superAdmin” role.
In fact, a user with a “partner” role can even add himself the “super admin” role or create new users with a “super admin” role :frowning:

*2 questions arise :question: :question::

  1. Is there a way to get a custom role that can create new users who do not have more ccess level than he does?

  2. What is the goal of creating new users (invite)?


Strapi just made available custom roles even in the Community edition and so I am dealing with the same issue (almost 2 years latter).

Did you @sofiacoder3000 (or anyone) made any progress on this?


Maby you could use RBAC for this but super users could change that so I guess your solution would have to be a custom middleware on both the admin and the api