In general, it is very hard to detect an improperly protected REST endpoint. Using least privilege principles could improve the control. Regarding the roles, how could someone create a new admin user? Having one and only one admin user with all access rights is a security vulnerability itself. If the same admin credentials are shared between several people/administrators it will be almost impossible to detect which one is the compromise.
In conclusion my opinion is that:
1. Logging the endpoint accessibility is a must: e.g DateTime: User [admin] with roles [admin] accessed createUser endpoint
2. Roles should be based on delegation of duties. "developer" or "simple" roles do not reflect any duties and it's hard to guess their duties without reading the documentation. Of course, delegation of duties (e.g having a UserManagement role and the ability to assign it) will make the role based access management part of AeroGear Unified Push Server much more complex. However this will spread the risk of having a single admin user with all rights.
On Tue, 2013-11-05 at 16:34 +0100, Sebastien Blanc wrote:
-admin : can do all the CRUD operations + creating/deleting users
The default user (admin/123) should have the "admin" role
Users created by the admin can have the role developer or simple