[Reg cert] Admin should have permissions to manage certificates for an org

[anangaur]

Admins should have all the permissions for an org. Currently an admin does not have perm to manage an org's certificates.

[xavierdecoster]

@anangaur @skofman1 are you referring to site admins that should have permission to manage certificates for an org? Org admins should already have that permission.

Should site admins have permission to manage an account? Or only certificates?
In code, there's currently no distinction between these.

Depending on the answer to the above question, the solution will be different.

Code path that checks for permissions to manage certificates:

private bool CanManageCertificates(User currentUser, User account)
{
  var wasAADLoginOrMultiFactorAuthenticated = User.WasMultiFactorAuthenticated() || User.WasAzureActiveDirectoryAccountUsedForSignin();
  return wasAADLoginOrMultiFactorAuthenticated
    && ActionsRequiringPermissions.ManageAccount.CheckPermissions(currentUser, account) == PermissionsCheckResult.Allowed;
}

Current permissions requirement for ManageAccount:

/// <summary>
/// The action of managing a user or organization account. This includes confirming an account,
/// changing the email address, changing email subscriptions, modifying sign-in credentials, etc.
/// </summary>
public static ActionRequiringAccountPermissions ManageAccount =
    new ActionRequiringAccountPermissions(
        accountPermissionsRequirement: RequireOwnerOrOrganizationAdmin);

Proposed change, if site admins should have permission to manage an account:

/// <summary>
/// The action of managing a user or organization account. This includes confirming an account,
/// changing the email address, changing email subscriptions, modifying sign-in credentials, etc.
/// </summary>
public static ActionRequiringAccountPermissions ManageAccount =
    new ActionRequiringAccountPermissions(
        accountPermissionsRequirement: RequireOwnerOrSiteAdminOrOrganizationAdmin);

Proposed change if site admins should only have permission to manage an account's certificates:

private bool CanManageCertificates(User currentUser, User account)
{
  var wasAADLoginOrMultiFactorAuthenticated = User.WasMultiFactorAuthenticated() || User.WasAzureActiveDirectoryAccountUsedForSignin();
  return wasAADLoginOrMultiFactorAuthenticated
    && (currentUser.IsAdministrator || ActionsRequiringPermissions.ManageAccount.CheckPermissions(currentUser, account) == PermissionsCheckResult.Allowed);
}

[anangaur]

account would be better. I thought site admins could already manage the members of the org but not certs.

[scottbommarito]

Upon discussion with @joelverhagen @anangaur @chenriksson - this should no longer be needed. The driving force between this feature has been resolved by #6150.

[xavierdecoster]

@joelverhagen @scottbommarito does that mean this issue can be closed? :)

[anangaur]

Not required, for now.