We wanted to provide a brief overview about proper Magento administrator user rights management, in particular in light of the recent vulnerability warning Magento issued for its Magento Enterprise edition. (See our previous post about about a Magento Enterprise Security Vulnerability).
We want to share some guidelines to follow and hear from you what you found to work well for you as well as where you had challenges.
1. Don’t use users with generic names such as “Administrator”
Avoid users such as “admin”, “administrator” or “sales” that are easy to guess. Along the same line you should use unique users.
2. Create a unique user account for each user
Each user should have a separate login account, you may even want to create multiple administrative accounts, one for administration and one for your day-to-day management role, if this applies. A proper user should be filled in with proper first and last name.
3. Only keep active users ‘active’, disable past or inactive administrators
Continue to manage your administrator users actively and just as you enable and crate new users accounts for each individual new team member or consultant, you should deactivate or delete administrator accounts who are no longer using the login account or are no longer working for you.
4. Create user roles that fit your actual roles
Don’t give every user Administrator access, i.e. access to everything, to everyone, actually don’t give administrator to anyone. Setup admin accounts for the people who need it from time to time, and setup limited accounts that you can use on a day-to-day basis.
Please use the comments section below to share your experience with Magento administrator user rights management with us and ask questions.