To replicate the issue:
- Create new role -> Internal -> viewAllUsersRole -> privileges
- Add privileges -> new Privilege -> viewAllUsers
- viewAllUsers can View is selected
- Click on managedUser -> mike
- Ensure mike has viewAllUsers as an authorisation role.
Added the runAsProperties block into authentication.json with one change:
Following request results in list of manageduser ids.
Follow request results in access denied: