Hi,

I have a custom page I need to be only accessed by superAdministrators.
In order do do this, I created an application privilege and added it to the required security privilege of the page. Then I added the application privilege to the superAdministrator role.

Now I would like to hide that application privilege from regular Administrator to prevent them from managing that privilege. I know it is possible to do this with System Privileges by suppressing them but I can't seem to be able to do so with Application privilege.

Is there a way to hide an Application privilege?

Thank you

Don't think so, and I don't think it'd be practicable if it were. (there would be a variety of easy exploits to get around it with the configure and manager privileges)

If you can't trust your administrators to manage privileges, then you should remove them from the Administrator privilege.

I want to hide that privilege from my administrator because I have implemented realm area filtering in my application. That page is a custom wizard that concern all the realms, that is why only my superAdministrators have access to it. The regular administrators each administer a single realm while the superAdministrators administer every realms.

Regular administrators won't be able to use that page anyway since it will concern other realms, so it make sense to me that I would hide it from them.

Is it possible then to hide a page that work outside the realm area of the user by other means than application privilege?

What is done in a lot of cases like this is have a SuperUSer page that is secured so only someone with the correct privilege can access that page. It will appear on the page menu, but be grayed out for anyone that doesn't have the privilege.

What kind of privilege would be used in that situation? Do I implement this in script?

I tried using SecurityCheck to achieve this but I wasn't able to show an error dialog and closing the page. I only manage to do one or the other.

It would be best if I could hide that page, but if it is grayed out, it's fine as long as administrators confined in realm can't access it and can't grant themselves the privilege to do so.

There is no special privilege, just add an Application Privilege , open the page in the Idea Studio, go to the Page Properties tab at the top, then to the Page Security icon across the top. Pick the application privilege you want to set on the page and apply it.

My problem with that solution is that any administrator within a realm can grant themselves this application privilege and access the page. Since this page is a wizard doing operation over all the realms, I want only a superUser to access it. In order to do that, I would need to be able to suppress an application privilege, which in my understanding is not possible.

Is there another way of restricting access to a page? Or maybe a way to limit the privileges an administrator can manage, through realm area filtering or another method?

Sorry, no. If a user has administrator rights, then you can't prevent him from administering. You can't prevent him from even adding new privileges.

Ok, that's good to know. Thank you for your help