New Member here, I tried several searches but could not find anyone else complaining of this problem. I am wondering if nobody has noticed it, or if it is unique to my situation.

My company is getting ready to migrate from BES 4.1.6 to BES 5.x. In researching this, I have put up BES Express 5.0.3 in a test environment to see if it is worth it for us to migrate to the free version of BES.

I was testing different security roles in BESX, and created an account for our Help Desk using the Senior Helpdesk Administrator role. While logged in under that test account, I went into Manager Users, and just as a fluke tried to delete the default Security Administrator account that was created when I installed BESX. Color me surprised when it let me delete the Security Administrator account while logged in as a lowly Senior Helpdesk Administrator.

Luckily I had previously made other Security Administrator accounts. I created a few other test Security Administrator accounts just to see if it was a one time thing, or if I was seeing things. Each time, I was able to delete the Security Administrator account using the Senior Helpdesk Administrator Account.

Has anyone else come across this before? It seems like a potentially huge security problem, and I have not been able to come up with a solution to protect the Security Admin accounts.

Any help/guidance you guys can provide is appreciated.

I'd also be interested in this. I've created a role with the minimum of rights, just to allow the helpdesk to create new users & do device activations. It looks like the delete user right allows the user to delete any account, including the admin accounts.

I suppose I could create a group that contains only the handset users, and does not contain the admin user(s), and give the helpdes role rights to only that group - but what happens if the helpdesk user deletes a user (which is in this group), then recreates them? The new user wouldn't be in the handset group, and thus helpdesk wouldn't have visibility of them, surely?

EDIT: Actually it looks like the Delete User right is universal, and can't be limited to groups. So your role can either delete ANY user it wants, or none at all.