Hi, I am developing an application using Backbone.js.



There will be an user with administrator privileges. This user needs to fetch, create delete and edit users and edit/delete information created by other users. Which is the best way to let this user have total access to all data, without using full access collections permission?



Thanks!

You can use entity-level permissions to add the superuser to the entities you want to make writable. See [here](http://devcenter.kinvey.com/guides/security#ReaderWriterLists).

Is there any solution not for each entity, but for the entire collection? If a superuser needs to create another superuser with same access level of the first one, all entities will have to be modified to make them writable for the second superuser?



Thanks!

Not yet - this is on our roadmap. One thing you could do right now is to create a preSave collection hook which adds the superuser to the ACL on every save.

Yes, that's what I thought. But adding a new superuser is really difficult yet, cause for this project the superuser must have write access to all users and many other data in other collections.



We will be waiting for this feature. Thanks.

Mark,



Other problem is that even if I add superuser as writer to the ACL for every user or set superuser as creator of this users I will not be able to fetch them without a equalTo query. So, I will not be able to create a list of users and let the superuser administrate this list (edit and remove users).

I am not sure whether I understand your last question. What would you use the `equalTo` for?



If you plan to have multiple superusers, you can also use [user groups](http://devcenter.kinvey.com/rest/guides/users#usergroups) to create an "admin" group, and add that to every entity. Then, you only have to add new superusers to the admin group and you'll be all set.

According to [this](http://devcenter.kinvey.com/backbone/guides/users#lookup "this"), to query users it is needed to query for exact matches of one of the predefined attributes. So, the superuser cannot fetch all users from users collection.



Another question: Is it possible that an user create another one while logged in?

To clarify User Discovery, as the docs aren't entirely clear - this is only applicable to private user collections. By default, the user collections permissions are shared, in which case you can just query as normal.



No, to create a new user you need to logout first. What is your use case?

Yes, I can fetch all users. Thanks.



About creating an user from logged as another, it was a requirement of my project that this superuser could create an user while logged in. Not everyone has permission to sign up. So, only the superuser would create users and grant access to them.



Maybe this is not the usual concept of developing, but this project is very specific to this company.

I see. I think you can use the following to create another user while logged in as superuser (the `state` flag is key here):



```

Kinvey.User.create({

username: ,

password:

}, { state: false });

```

Yes, it works! I appreciate very much your help.

Hi,



I am using

Kinvey.User.create({

  _acl : {

      groups : {

         w  : ["superuser_group_id"] 

      }

   },

  username: username,

  password: psw

}, { state: false })

to create users that grants to a superuser permission to edit/delete them. With these configurations, which is the best solution to a superuser disable/enable an user from frontend?



Can I use soft delete as shown [here](http://devcenter.kinvey.com/rest/guides/users#delete "here") or do I need always master secret to re-enable them?



Thanks very much!

A nicer way would be to lock the user down, see [here](http://devcenter.kinvey.com/rest/guides/users#lockdown). Either way, this will require the master secret.



You could create a custom endpoint which checks whether the user who invoked the endpoint is a super user and, if so, trigger the call to lock down.