Change in one user role permissions affects other users' role permissions

Plone 4.3.7 (4311), CMF 2.2.9, Zope 2.13.23 on Debian linux.

This site has a group for users with manager role. Multiple users are in the manager role group.
When there is turnover in staff some people with manager role have left the department. Normally their users have been deleted without incident.
However one such user is now causing a problem, as follows:

Former staff member had user that was a site manager.
When that staff member left the organization, their user was deleted.
Deleting that particular user caused the permissions of all other manager-role users and the original "site administrator" user to be changed.

Other manager-role users could no longer do most manager-role tasks such as add/edit/delete throughout the site. Exactly which permissions they lost I have not tested in detail. Suffice to say they lost essential manager permissions and could no longer function as manager role.

Restoring the deleted user (via a backup) fixed the problem.
AND, the same issue is caused by removing manager role from this user, even if the user is not deleted.

I am looking for any guidance on how to determine what was done with or by this user that caused this problem. I need to get this user back to a state where changing their role(s) or deleting them no longer affects other user roles/permissions.

Where would I look, and what am I looking for, that could cause something like this?
I am not familiar with the details of role and permission settings and customization behind the scenes, never have needed to mess with that.
I do not see any way something like this could have been done from within the plone UI - could it?

I suspect that something was accidentally done with roles and/or permissions via the ZMI. As a manager they would have access to the ZMI, BUT should not have done anything there. It would have been a mistake they did not know they were making.

Hello @JSCHINNERER,
The careful reading of the problem you encounter takes me to question the possibility of change of name of the account that arrogates the initial administrator right.
I specify that I know Plone on Windows but very little on Linux. Nevertheless, it seems to me that in general rule the functioning is very close.

Is it not possible that a user with his manager role was able to intervert the names of the initial administrator with his manager account?

Do you have an initial backup before you entrusted each handler with its connection settings?
If so, a restoration would allow you to check that.

In any case, it is imperative to make a backup, change all passwords, rename all manager accounts, and site administrator and to do as if the account that seems to have all the powers, was the administrator account original to check if everything goes well.

Then you will notify.

I hope this will help you.

Thanks Adomy.
I don't know if a manager role can take over the full administrator account - can anyone else speak to that?
I would assume not, as that would seem to be a major security flaw, and Plone has always been quite solid in that regard.

And if this account had switched with the master admin - would that cause this problem when changing roles for the account or deleting it? From what I know of users and roles and permissions I don't think so - they are independent, changing roles/permissions for one user should not affect any other users as a general rule. If I am mistaken, anyone please explain how this might happen, as that is what I need to fix.

I don't have any older backups that I could restore so that is not an option.

The essential issue seems to be that somehow, this user - or its relations or interactions with other users - has been modified in some way so that changing its roles/permissions affects other users' permissions. In particular, managers.

So I am looking for any info on how that might have been done, and how I could un-do it.

If you are thinking there was evil intent by the person whose old account causes this problem, I am 99% sure that is not the case. That account never did any harm to the site when it could have. The person who used that account has been gone from the department for a long time now. The account was unused since they left, up until it was deleted and deleting it showed this problem.

I think it is most likely a mistake made by that person when they were a site manager, doing something they did not know enough about.

Hello @JSCHINNERER,
About these problem accounts, it is not a question of knowing that the fault is intentional or accidental.
Normally, if there has not been a bug, the manager in question should not have been able by his intervention at the Plone site, have an impact to the original admin account.
Because in normal times, zope safety prevents that.
Normally only another administrator account can do that.
That's it, what I suggest to you. By logging in with the account you consider as an original admin account, create another admin account in ZOPE ZMI. Then log in with this account and downgrade (without deleting it) the manager account that poses a problem with no right or manager role, and then observe what is happening. If everything goes well, then delete the problematic account you had downgraded.
Observe what is happening.
If things do not go into order, try this time to connect with the problem that is problematic.

Then Check if you can create or not an admin account in ZOPE ZMI by being connected with this problematic account that is not an administrator account under Zope.
It may sometimes be impeded between us because of the differences he can have between Linux folder and folder under Windows. I hope, however, that we understand each other.
If I'm wrong, I hope someone will correct me.

Thanks, and I think I need to post a fresh request with a different title and a clearer description.
The problem is that changing the role on just that one account affects permissions for other accounts.
It does not matter what other user changes the role setting of the problematic user.
I have already tested it using my site admin login, another user login with manager role, and the root admin login (plone instance admin login, which if viewing this specific plone site, is affected in the same way).
I also created a new user via ZMI to test with, as you suggest above.
Same result in all cases.

So my question is, how do I troubleshoot and fix the fact that changing this one user's role affects other users' permissions?

Hello @JSCHINNERER,
In this case, it would mean that the security breach that has permitted this is always effective?

Have you applied all the security patch offered from this version of Plone 4?

It should be done to have a clear heart.

Good luck.

Plone Foundation Code of Conduct