Snipe-it: Admin not respecting company boundaries

Created on 21 Oct 2017 · 19Comments · Source: snipe/snipe-it

Expected Behavior (or desired behavior if a feature request)

*enabled "_Full Multiple Companies Support"_
*Created company A
*created company B

*Created User1, assigned user 1 to Company A
*Created User2, assigned user 2 to Company B
*gave both users admin rights (no super admin rights)

*Create location X - Assign user 1 as Manager
*Create location Y - Assign user 2 as Manager

*Create Asset1 - Assign Asset to Company A
*create Asset 2- Assign Asset to Company B

_Recent Activity_ shows 1 total asset
_Asset categories_ shows 1 assset

&&&&&&&&&&&&
Deploying Asset
User 1 can ONLY see locations managed by user 1
User 2 can ONLY see locations managed by User 2

In this set up, I'd like to have total seperation of comapnies based on "Restricting users (including admins) assigned to companies to their company's assets." from the text in the _General settings_ page

Restricting users (including admins) assigned to companies to their company's assets.

Actual Behavior

*enabled "_Full Multiple Companies Support"_
*Created company A
*created company B

*Created User1, assigned user 1 to Company A
*Created User2, assigned user 2 to Company B
*gave both users admin rights (no super admin rights)

*Create location X - Assign user 1 as Manager
*Create location Y - Assign user 2 as Manager

*Create Asset1 - Assign Asset to Company A
*create Asset 2- Assign Asset to Company B

_Recent Activity_ shows 2 total asset (including ones assigned an checked out to user in different company)
_Asset categories_ shows 1 assset

&&&&&&&&&&&&
Deploying Asset
User 1 can see locations managed by user 1 & user 2

Please confirm you have done the following before posting your bug report:

[ ] I have enabled debug mode
[X] I have read checked the Common Issues page

Provide answers to these questions:

Is this a fresh install or an upgrade? Fresh
Version of Snipe-IT you're running 4.0.13
Version of PHP you're running 5.6.31
Version of MySQL/MariaDB you're running MySQL 5.6.37
What OS and web server you're running Snipe-IT on Cpanel 66.0.26 running on litespeed (i think- not sure of version)
What method you used to install Snipe-IT (install.sh, manual installation, docker, etc) manual install
WITH DEBUG TURNED ON, if you're getting an error in your browser, include that error n/a
What specific Snipe-IT page you're on, and what specific element you're interacting with to trigger the error n/a
If a stacktrace is provided in the error, include that too.
Any errors that appear in your browser's error console.
Confirm whether the error is reproduceable on the demo: https://snipeitapp.com/demo. Yes it is.
Include any additional information you can find in app/storage/logs and your webserver's logs.
Include what you've done so far in the installation, and if you got any error messages along the way.
Indicate whether or not you've manually edited any data directly in the database No edits other than config of the env file.

Please do not post an issue without answering the related questions above. If you have opened a different issue and already answered these questions, answer them again, once for every ticket. It will be next to impossible for us to help you.

https://snipe-it.readme.io/docs/getting-help

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

ready for dev

Source

Loopmail

Most helpful comment

This is still a major issue.

The developer should either update the documentation to reflect this poor choice in security or provide a workaround. I mean after all, he is selling the product as a SaaS. We have developers in-house who are considering the option of just fixing it. But if the developer here is not will to take ownership of the issue then we will not provide the fix.

zharding on 6 Jan 2019

👍3

All 19 comments

Admins can see across companies

snipe on 21 Oct 2017

I thought that's the role of the super admin.

Basing that on:

https://snipe-it.readme.io/docs/permissions

Admin
Can NOT access Admin Settings, and is constrained by Company scoping when Full Company Support is enabled, but can perform all functions (create, edit, delete, etc) for all other aspects of the app.

As well as ON the General setting page: Restricting users (including admins) assigned to companies to their company's assets.

Loopmail on 21 Oct 2017

Super admins have the ability to edit app settings, admins do not.

snipe on 21 Oct 2017

Yes. Understood.

By my read of the documentation, the admins should also only be constrained to their company assets.

I'm trying to set it to I can have a manager at each company with a dashboard who can see whole of their company but none of the other company.

Is that able to be done? (the dashboard looks pretty, and I know the people who will look at that get a kick out of that kind of feature...)

Loopmail on 21 Oct 2017

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions!

stale[bot] on 20 Jan 2018

+1, I am currently using a multi-company setup and would love the dashboard to be company specific for admins limited to a single company

joshua2parker on 3 May 2018

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions!

stale[bot] on 2 Jul 2018

Any news regarding this?

I am still waiting to deploy snipe-it in other destinations of our company because of this. The user I created for another company, can see all assets in the system. (when is not happening in accesories, licenses or consumables)

Also, when you add an asset inside a company structure, the companies dropdown should be removed or auto-selected with the company of the user.

adriahn on 4 Jul 2018

Is this still relevant? We haven't heard from anyone in a bit. If so, please comment with any updates or additional detail.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Don't take it personally, we just need to keep a handle on things. Thank you for your contributions!

stale[bot] on 2 Sep 2018

This issue has been automatically closed because it has not had recent activity. If you believe this is still an issue, please confirm that this issue is still happening in the most recent version of Snipe-IT and reply to this thread to re-open it.

stale[bot] on 9 Sep 2018

This is still a major issue.

zharding on 6 Jan 2019

👍3

I need exactly this and I can finish deploying to our entire district.

loganhawker on 1 Jun 2020

This is still a major issue.

The developer should either update the documentation to reflect this poor choice in security or provide a workaround. I mean after all, he is selling the product as a SaaS. We have developers in-house who are considering the option of just fixing it. But if the developer here is not will to take ownership of the issue then we will not provide the fix.

Any news on this?

loganhawker on 1 Jun 2020

This leaves the feature of Company worthless, I don't want people seeing ANYTHING from one company to the next, you can even check out someone else's item to someone to a different company. You can't have a client admin pulling dashboards or assigning assets to wrong company users, the isolation is not complete and makes this unusable. It's really a shame as I know a bunch of MSPs that would kill for this thing but this is a total deal killer. Please consider fixing the permissions, I just wasted hours installing and setting up with the expectation of the company providing segmentation and it does not.

B1zanat0r on 19 Sep 2020

Okay, it looks like this issue or feature request might still be important. We'll re-open it for now. Thank you for letting us know!

stale[bot] on 19 Sep 2020

I mean after all, he is selling the product as a SaaS.

She.

I'm still kind of unclear on what the issue is here. When I create Test User - Company A and Test User Company B, with full company support enabled, my dashboard shows up blank, and the list of assets is blank if the assets belong to another company.

Screen Shot 2020-09-18 at 4 13 18 PM

Screen Shot 2020-09-18 at 4 13 26 PM

Screen Shot 2020-09-18 at 4 13 34 PM

snipe on 19 Sep 2020

(Note that you see Snipe E. Head as someone an asset was checked out to in these screenshots because it was checked out before I enabled full company support and changed the company association in the assets.)

snipe on 19 Sep 2020

Thank you for your response, I might have come off a little harsh (sorry) it's great software so hopefully, we can resolve this issue. I'm putting together some screenshots for you and will provide you anything you need.

B1zanat0r on 19 Sep 2020

Created Admin A & B-

with admin permission:

Created Asset B for Customer B

Now if I login as A Admin we can see a few issues:
Dashboard - I can see 6 Assets, although only 1 has been created and assigned to my company

If I goto Create I can create an Asset for any Company (even though I'm only 'Company A')
I can see other companies Models (and edit those) and locations
I can even see all other users, when you goto Checkout-To and say type in 'B' I can see all users with B in their Name

After saving the asset I can login as B admin (without admin role assigned) and see I have a new asset assigned to me

If I change my B to have Admin -> People -> Edit -> Permissions -> Admin (Grant) and refresh the page:

I can see 7 devices (although Company B should only have 1)

Of course Settings Companys, Locations, Models all show everyone's information.
And I can create an Asset and assign it to Company A if I wanted just like above....

I would be more than happy to set up a call, screen share, and do whatever testing and feedback to help.

Once again thank you for your response!

B1zanat0r on 19 Sep 2020

Was this page helpful?

0 / 5 - 0 ratings