It turned out, that every "Project Admin" can set the access-rights of a certain project/backlog for the "System-Administrator" to "No Access".
For our Subversion-integration this is causing a big problem!
We created a subversion-server-side-hook, which is checking the commit-comment for a valid VersionOne story-ID. This hook is using the log-in of the "System-Administrator".
So if some "Project Admin" sets the roles of the "System-Administrator" of his node to "No Access" nobody is able to commit changes to stories in this node anymore.
Unfortunately it is also no longer possible for the "System-Administrator" to log-in and change his rights on this certain nodes!!!

I emailed this problem to support, and they came up that this is the system design and not a bug!

Comments

  • I agree. This is a BIG problem. Project administrators should never be able to take access away from the system administrator.

  • We have had several cases where the System Administrator's privileges have been accidentally revoked or downgraded by project administrators. This happens the the person with the system admin role is also a team member on a specific project. In that case, the project admin for that project will designate the system admin as a "team member", not realizing that he/she already has system admin rights. The system admin loses admin rights on the project.

  • This makes it very difficult to support my project admin's when they have the ability to remove my access to their project. When they need a change they can't do or they need help troubleshooting, I always have to have them add back my access as the system admin.

  • I agree that the System Admin should be "untouchable" by lower admin users.

  • Agreed!

  • Agreed, this is a big problem for Panduit as well as we extend our VersionOne use at the enterprise level. We want to be able to enable other Project Admins to self service and to lessen administration needed by the system admins and this is preventing us from doing that.

  • I agree it will cause issues within the organization as System Admins privileges should not be editable by lower admin users.

  • Massive issue. It allows people to banish sysadmins from their area without even an understanding of what they are doing. At the very least, it would be helpful to pop something up and educate the user about the impact of their decision.

  • I added this note in another "idea" as a security issue. Ideaspace stinks because important things like this don't get seen by everyone. But back to this issue, I've had many calls asking about a lost project that even I cannot see because someone gave everyone "no access". There's nobody to help - nothing I can do.

    The security issue is, if someone with a raised privilege got into the system, they wouldn't have to delete anything. Just change all the privileges to "no access" and they've wiped the system clean. Time to get out the backups.

    The other security issue is... there's no way to find out what happened or who changed those privileges. No logs. This is a perfect storm.